On the 7th of January 2025, PowerSchool notified the Calgary Board of Education (CBE), school boards, and many schools across Alberta about a massive student data privacy breach that occurred in late December 2024. According to CBE’s website, the breach involved the personal and demographic information of the CBE staff, students, and parents’ information [1].

PowerSchool is a widely used Student Information System (SIS) that provides teachers, students, and parents with an online platform to manage and track academic and educational progress. PowerSchool’s SIS stores a spectrum of personally identifiable information (PII) such as:

  • Student Personal Information, including first, middle, and surname; CBE-issued email address, home address, and phone number when attending a CBE school; birthdate; gender; and grade. In some cases, medical information such as allergies, medications, medical conditions, and/or support.
  • Staff Information, including first, middle, and surname; CBE employee number; school name code, school address and phone number; department and/or teaching specialty, and CBE-issued email address.

CBE confirmed on its website that it does not collect Social Insurance Numbers (SINs), personal documents such as birth certificates, driver’s licenses, and immigration documents [1].

What Happened

PowerSchool is a leading cloud-based software for education management solutions in North America serving over 18,000 schools across ninety countries supporting more than sixty million students. According to PowerSchool’s website, the initial attack surfaced from an unauthorized access to its internal customer support portal called PowerSource using compromised credentials.

The breach allowed the intruders gaining access to the Student Information System (SIS) and the backend database containing all sensitive information for students, schools’ staff, and parents. According to CrowdStrike, the PowerSchool’s hired cybersecurity consultant, it is still not clear how the credentials were compromises.

The impact

According to the Canadian Global News, at least 80 Canadian school boards across seven provinces had been impacted by the PowerSchool privacy breach. There is no specific disclosure on the specific number of the impacted students, however the number is in millions.

According to the Global News, the impact was massive including 2,4 million students in Ontario, 21 schools in Manitoba, and many school boards in Alberta including the Calgary Board of Education, Edmonton Catholic School Division, Red Deer Public Schools, Medicine Hat Catholic Board of Education and Medicine Hat Public Schools.

BleepingComputer, a leading cybersecurity news, published an article claimed that 593,518 CBE students and 133,677 teachers were impacted by the PowerSchool breach. [5].

The Canadian federal privacy commissioner is quite concerned about the breach and all provinces’ officials are assessing the impact to determine the next step. Unfortunately, the privacy breach was not limited to the current student records only, but also harvested all historical records stored in the SIS.[2]

PowerSchool’s Response

According to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are obligated to report any Privacy breach of security safeguards involving personal information to the Privacy Commissioner of Canada and must also notify affected individuals about the breach in such situations.

On January 7th, PowerSchool notified all relevant regulators on its customers’ behalf in applicable jurisdictions as well as students about the privacy breach. PowerSchool’s website confirmed that the impact included personal information, such as names, contact details, dates of birth, limited medical records, social insurance/security numbers (SIN, SSN), and other related information [4].

PowerSchool offered two-year complementary identity protection services to all it is involved students, and educators regardless of whether an individual’s social insurance/security number was exfiltrated. Additionally, PowerSchool pledged its responsibility to continuously prioritize reviewing its cybersecurity defense and take full responsibility for protecting students, families, and educators’ data privacy with extreme serious [4].

Lessons Learned

  • Lack of Differential Privacy: Realizing that the attackers were able to exfiltrate massive number of records using compromised credentials confirms that no limit was set to query the backend services. Using data privacy techniques such as the Differential Privacy by adding noise to the sensitive and students’ identifiable information (such as SIN/SSN, date of birth, etc.) could prevent the attackers from de-identifying the sensitive information. Although, no full understanding of how the attackers were able to exfiltrate this massive data, however, it can be safely assumed that these millions of stolen records are queried using SQL scripts which could have been prevented if a privacy query language such as Privacy Integrated Queries (PINQ) has been used in developing PowerSchool’s applications.
  • Lack of Data Encryption or the use of Homomorphic Ciphers: recognizing that the attackers we able to compromise the credentials of the internal support portal (PowerSource) and use the same credentials to access backend services confirms that the backend services are accessed with a user-based credentials which is not a best practice to for data protection. Alternatively, the backend services could employ Homomorphic Ciphers to guarantee data encryption while at rest.
  • Lack of Data Perturbation: Data privacy techniques such as Multiplicative Data Perturbation could be used to alter and protect sensitive information such as SIN/SSN, date of birth, phone numbers, and other numeric information.
  • Lack of Role-Based-Access-Control (RBAC) and Segregation of Duties: The compromised credentials on the internal support portal (PowerSource) should not have a privileged access to all school records in the backend SIS services. The credentials of a support agent should not have such elevated access to the backend services.
  • Lack of Multi-Factor-Authentication (MFA): Connecting from one service to another using the same credential without validating or proofing the user’s identity is critical flaw in the access control process. Access attacks, like pass-the-token, often occur due to a lack of MFA.
  • Lack of Application Programming Interface (API): API provides modern data exchange framework, such as Java-Web-Token (JWT), that allows data exchange with specific scope using protected access secret keys preventing internal users from gaining full elevated access to the backend services. So even if to assume there was no external breach, the internal users still pose a potential security threat due to this vulnerability.

Recommendations and Mitigation

  • Use Differential Privacy by adding noise to the sensitive data and set rate limits to data queries.
  • Use Data Perturbation to protect student’s numeric information, especially for records stored off-site on a third-party repositories.
  • Use Homomorphic Ciphers for data encryption at rest and when data is exchanged.
  • Enforce RBAC and Segregation of Duties when accessing data between services.
  • Enforce multi-factor-authentication (MFA) when accessing students data using user-based credentials.

Conclusion

Many industry solutions demonstrate a troubling lack of fundamental understanding regarding basic data privacy principles. The education, healthcare, financial, and retail sectors collect vast amounts of consumer data, yet without rigorous due diligence and the implementation of robust data privacy security measures, these industries remain highly susceptible to privacy breaches and data exfiltration. Given the growing body of research dedicated to data privacy, it has become imperative for businesses to engage cybersecurity data privacy experts to assess vulnerabilities and strengthen data protection strategies.

References

[1] Calgary Board of Education. (2025, January 27). PowerSchool Data Breach. Retrieved from https://cbe.ab.ca/about-us/policies-and-regulations/freedom-of-information-and-protection-of-privacy-foip/Pages/PowerSchool-Data-Breach.aspx

[2] Global News. (2025, January 28). How many school boards were impacted by the PowerSchool breach? Global News. https://globalnews.ca/news/10981247/powerschool-how-many-school-boards-impacted/

[3] TechTarget. (2025). PowerSchool data breach: Explaining how it happened. TechTarget. https://www.techtarget.com/whatis/feature/PowerSchool-data-breach-Explaining-how-it-happened

[4] PowerSchool. (2025). SIS incident update. PowerSchool. https://www.powerschool.com/security/sis-incident/

[5] Tran, P., & Local Journalism Initiative Reporter. (2025). CBE still cannot confirm how many families have been impacted by PowerSchool breach. In The Canadian Press. Canadian Press Enterprises Inc.

Leave a comment

Powered by UCalgary

The views, information, or opinions expressed on this site are solely those of the individual(s) involved and do not necessarily represent the position of the University of Calgary as an institution.

Website Terms & Conditions | Privacy Policy | Copyright © 2024