On the 7th of January 2025, PowerSchool notified the Calgary Board of Education (CBE), school boards, and many schools across Alberta about a massive student data privacy breach that occurred in late December 2024. According to CBE’s website, the breach involved the personal and demographic information of the CBE staff, students, and parents’ information [1].
PowerSchool is a widely used Student Information System (SIS) that provides teachers, students, and parents with an online platform to manage and track academic and educational progress. PowerSchool’s SIS stores a spectrum of personally identifiable information (PII) such as:
- Student Personal Information, including first, middle, and surname; CBE-issued email address, home address, and phone number when attending a CBE school; birthdate; gender; and grade. In some cases, medical information such as allergies, medications, medical conditions, and/or support.
- Staff Information, including first, middle, and surname; CBE employee number; school name code, school address and phone number; department and/or teaching specialty, and CBE-issued email address.
CBE confirmed on its website that it does not collect Social Insurance Numbers (SINs), personal documents such as birth certificates, driver’s licenses, and immigration documents [1].
What Happened
PowerSchool is a leading cloud-based software for education management solutions in North America serving over 18,000 schools across ninety countries supporting more than sixty million students. According to PowerSchool’s website, the initial attack surfaced from an unauthorized access to its internal customer support portal called PowerSource using compromised credentials.
The breach allowed the intruders gaining access to the Student Information System (SIS) and the backend database containing all sensitive information for students, schools’ staff, and parents. According to CrowdStrike, the PowerSchool’s hired cybersecurity consultant, it is still not clear how the credentials were compromises.
The impact
According to the Canadian Global News, at least 80 Canadian school boards across seven provinces had been impacted by the PowerSchool privacy breach. There is no specific disclosure on the specific number of the impacted students, however the number is in millions.
According to the Global News, the impact was massive including 2,4 million students in Ontario, 21 schools in Manitoba, and many school boards in Alberta including the Calgary Board of Education, Edmonton Catholic School Division, Red Deer Public Schools, Medicine Hat Catholic Board of Education and Medicine Hat Public Schools.
BleepingComputer, a leading cybersecurity news, published an article claimed that 593,518 CBE students and 133,677 teachers were impacted by the PowerSchool breach. [5].
The Canadian federal privacy commissioner is quite concerned about the breach and all provinces’ officials are assessing the impact to determine the next step. Unfortunately, the privacy breach was not limited to the current student records only, but also harvested all historical records stored in the SIS.[2]
PowerSchool’s Response
According to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are obligated to report any Privacy breach of security safeguards involving personal information to the Privacy Commissioner of Canada and must also notify affected individuals about the breach in such situations.
On January 7th, PowerSchool notified all relevant regulators on its customers’ behalf in applicable jurisdictions as well as students about the privacy breach. PowerSchool’s website confirmed that the impact included personal information, such as names, contact details, dates of birth, limited medical records, social insurance/security numbers (SIN, SSN), and other related information [4].
PowerSchool offered two-year complementary identity protection services to all it is involved students, and educators regardless of whether an individual’s social insurance/security number was exfiltrated. Additionally, PowerSchool pledged its responsibility to continuously prioritize reviewing its cybersecurity defense and take full responsibility for protecting students, families, and educators’ data privacy with extreme serious [4].
Lessons Learned
- Lack of Differential Privacy: Realizing that the attackers were able to exfiltrate massive number of records using compromised credentials confirms that no limit was set to query the backend services. Using data privacy techniques such as the Differential Privacy by adding noise to the sensitive and students’ identifiable information (such as SIN/SSN, date of birth, etc.) could prevent the attackers from de-identifying the sensitive information. Although, no full understanding of how the attackers were able to exfiltrate this massive data, however, it can be safely assumed that these millions of stolen records are queried using SQL scripts which could have been prevented if a privacy query language such as Privacy Integrated Queries (PINQ) has been used in developing PowerSchool’s applications.
- Lack of Data Encryption or the use of Homomorphic Ciphers: recognizing that the attackers we able to compromise the credentials of the internal support portal (PowerSource) and use the same credentials to access backend services confirms that the backend services are accessed with a user-based credentials which is not a best practice to for data protection. Alternatively, the backend services could employ Homomorphic Ciphers to guarantee data encryption while at rest.
- Lack of Data Perturbation: Data privacy techniques such as Multiplicative Data Perturbation could be used to alter and protect sensitive information such as SIN/SSN, date of birth, phone numbers, and other numeric information.
- Lack of Role-Based-Access-Control (RBAC) and Segregation of Duties: The compromised credentials on the internal support portal (PowerSource) should not have a privileged access to all school records in the backend SIS services. The credentials of a support agent should not have such elevated access to the backend services.
- Lack of Multi-Factor-Authentication (MFA): Connecting from one service to another using the same credential without validating or proofing the user’s identity is critical flaw in the access control process. Access attacks, like pass-the-token, often occur due to a lack of MFA.
- Lack of Application Programming Interface (API): API provides modern data exchange framework, such as JSON-Web-Token (JWT), that allows data exchange with specific scope using protected access secret keys preventing internal users from gaining full elevated access to the backend services. So even if to assume there was no external breach, the internal users still pose a potential security threat due to this vulnerability.
Recommendations and Mitigation
- Use Differential Privacy by adding noise to the sensitive data and set rate limits to data queries.
- Use Data Perturbation to protect student’s numeric information, especially for records stored off-site on a third-party repositories.
- Use Homomorphic Ciphers for data encryption at rest and when data is exchanged.
- Enforce RBAC and Segregation of Duties when accessing data between services.
- Enforce multi-factor-authentication (MFA) when accessing students data using user-based credentials.
Conclusion
Many industry solutions demonstrate a troubling lack of fundamental understanding regarding basic data privacy principles. The education, healthcare, financial, and retail sectors collect vast amounts of consumer data, yet without rigorous due diligence and the implementation of robust data privacy security measures, these industries remain highly susceptible to privacy breaches and data exfiltration. Given the growing body of research dedicated to data privacy, it has become imperative for businesses to engage cybersecurity data privacy experts to assess vulnerabilities and strengthen data protection strategies.
References
[1] Calgary Board of Education. (2025, January 27). PowerSchool Data Breach. Retrieved from https://cbe.ab.ca/about-us/policies-and-regulations/freedom-of-information-and-protection-of-privacy-foip/Pages/PowerSchool-Data-Breach.aspx
[2] Global News. (2025, January 28). How many school boards were impacted by the PowerSchool breach? Global News. https://globalnews.ca/news/10981247/powerschool-how-many-school-boards-impacted/
[3] TechTarget. (2025). PowerSchool data breach: Explaining how it happened. TechTarget. https://www.techtarget.com/whatis/feature/PowerSchool-data-breach-Explaining-how-it-happened
[4] PowerSchool. (2025). SIS incident update. PowerSchool. https://www.powerschool.com/security/sis-incident/
[5] Tran, P., & Local Journalism Initiative Reporter. (2025). CBE still cannot confirm how many families have been impacted by PowerSchool breach. In The Canadian Press. Canadian Press Enterprises Inc.
The insights and cybersecurity failings of the incident, such as the lack of Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC), are concerning. Hackers are targeting schools to breach personal information. I believe this cyberattack reminds us that every sector handling personal information should implement proper data security measures to prevent data breaches. On the other hand, recommendations such as using data perturbation, differential privacy, Homomorphic Ciphers, or Multi-Factor Authentication (MFA) can be effective in preventing such incidents.
Absolutely, security measures work all together as a defense in depth strategy. Nevertheless, preserving data privacy is quite unique defense layer. For instance, if to consider the “Assume Breach” as security notion, the advanced preserved data privacy techniques have to be enforced and embedded in the wholistic defense in depth strategy. In other words, if to assume an attacker is able to bypass all the defense layers from MFA, RBAC, and the API-based protected data access, the attacker should be faced with a perturbated and anonymized data that is useless to the attacker. Hence, integrating differential privacy, k-anonymity, and l-diversity techniques should be part of the API-based scripting and data exchange.
I thoroughly enjoyed your post Tamer, great job! After I read through the details, I was amazed at the insightful analysis of the PowerSchool data breach. The implications that occurred, as a result, were alarming as most of the concerns lie within data privacy for the education sector. One factor is apparent when an incident of this scale occurs, where millions of records have been stolen, data protection measures need to be increased when dealing with cloud-based systems. Furthermore, the attacker’s ability to access historical records shows a complete failure to implement proper query rate limits and encryption manners. The reliance on user-based credentials for backend database access is a significant design flaw, as it exposes vast amounts of sensitive data if compromised.
Thorough research work Tameer! Nicely put.
The sheer scale of compromised student, staff, and parent data highlights critical gaps in access controls, encryption, and authentication protocols. While PowerSchool’s response, including offering identity protection services, is a necessary step, the lack of proactive safeguard such as role-based access control and multi-factor authentication raises serious concerns. Moving forward, educational institutions must prioritize robust data protection strategies to prevent future breaches and restore public trust.
Great effort, Tamer! This is a good privacy insight, but it shows how badly organisations are failing to do the most fundamental security. To be effective, safeguarding techniques should use a comprehensive and holistic approach to preventing cyberattacks from happening in the first place. The PowerSchool breach confirms that many organisations, including educational institutions, do not know the true scope of cybersecurity. Security is not a stand-alone effort because a strong infrastructure by itself does not guarantee good security until all security controls are put in place.
This compromised credential attack demonstrates the importance of user awareness because these credentials represented a critical vulnerability. Organisations collect vast amounts of personal information yet show a lack of necessary protocols and regulatory frameworks to handle this data securely.
This incident underscores the importance of not only focusing on advanced privacy techniques but also ensuring that foundational security practices are in place. Without a robust framework that includes clear policies, adherence to standards, and compliance with regulations, organisations remain vulnerable to breaches. It’s critical to address these gaps holistically to protect sensitive data effectively.
Wonderful post, Tamer ! The shocking part of the PowerSchool data breach was the lack of basic protections like Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC). The attack, which occurred in late December 2024, went undetected until January 7, 2025, delaying response efforts. Sensitive information of millions of students, staff, and parents—including historical records—was compromised, raising significant concerns about identity theft and fraud. While offering identity protection services is helpful, it fails to address the root issues. As stolen data is now at risk of identity theft, phishing, and fraud for years. The suggestion made in the post are excellent as they tackle the root issue of weak security.
Great post!
The PowerSchool data breach underscores fundamental cybersecurity failures. The lack of MFA, RBAC and weak backend security allowed hackers to gain unauthorized access to the sensitive data. It highlights the necessity of differential privacy, data perturbation and homomorphic ciphers to tackle this type of attack. This incident serves as a stark reminder to us to implement robust security measures to protect sensitive information of our important sectors.