STAY CONNECTED: Have the stories that matter most delivered every night to your email inbox. Subscribe to our daily local news wrap.
ID 73611647 © Weerapat Kiatdumrong | Dreamstime.com
By Erika Rolling
Education

Four Peace Region school divisions involved in 2024 PowerSchool breach

Nov 18, 2025 | 1:22 PM

Findings have been released by both the Alberta and Ontario privacy commissioner investigations stemming from a security breach affecting school boards and other educational bodies nearly a year ago.

The incident happened between December 18-28, 2024, which affected millions of Canadians, where PowerSchool, an education technology used by schools in both provinces, had a cybersecurity breach where sensitive information was compromised. This included students, parents, and staff personal details like: full government names, home addresses, date of birth, student ID numbers, phone numbers, medical information, email addresses, custodial agreements, and in some cases, social insurance numbers.

In Alberta, 33 public and charter school boards and a Francophone regional authority experienced the cybersecurity attack. PowerSchool reported to the Alberta office that the attack was done through a stolen set of credentials belonging to support staff, where they first gained access to the system’s community-focused customer support portal, then gained access to the Student Information System.

Over 700,000 individuals were affected by the breach in the province, including four school divisions in northwestern Alberta:

  • Peace River School Division
  • Peace Wapiti Public School Division
  • Grande Prairie & District Catholic Schools
  • Fort Vermillion School Division

Although they issued separate investigation reports, the Ontario and Alberta commissioners coordinated their investigations under a memorandum of understanding to enhance collaboration and information-sharing in the handling of cross-jurisdictional investigations. Both reports have common key findings, including that some or all of the educational bodies:

  • Failed to include certain privacy and security-related provisions in their contractual agreements with PowerSchool to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law;
  • Lacked policies and procedures to effectively monitor and oversee PowerSchool’s technical and security safeguards to ensure the company complied with its contractual terms and conditions, including in respect of user access privileges for remote support personnel and the use of multi-factor authentication;
  • Failed to limit remote access to their student information systems by PowerSchool support personnel for only as long as necessary to address specific technical issues; and,
  • Lacked adequate breach response plans or protocols.

Both commissioners have made recommendations to address their findings in their respective reports, including what educational bodies should do:

  • Review and, as needed, renegotiate agreements with PowerSchool to include the recommended privacy and security-related provisions to ensure that the educational bodies meet the requirements of applicable provincial public sector privacy law;
  • Implement effective monitoring and oversight over PowerSchool’s technical and security safeguards to ensure they are compliant with applicable provincial public sector privacy law and leading industry standards, including by conducting a privacy impact assessment of their student information system;
  • Limit remote access to their student information systems on an as-needed basis only; and
  • Ensure they have adequate policies and procedures to respond to breaches in the future.

The Ontario and Alberta commissioners call on their respective governments to support the education sector by using their procurement lever to strengthen the bargaining power of educational bodies when negotiating agreements with ed-tech service providers and that will enable educational bodies to meet their privacy law requirements. The commissioners also call on their respective governments to provide educational bodies with the technical guidance or assistance needed to assess the privacy and cybersecurity posture of ed-tech vendors, assisting educational bodies in carrying out their monitoring and oversight responsibilities.

The final, full report by Information and Privacy Commissioner of Alberta, Diane McLeod can be viewed by clicking here.

“The investigation reports from my office and the office of my counterpart in Ontario establish beyond a doubt that the risks to privacy caused by the PowerSchool breach were significant, for both the students as well as the adults affected. It is essential to remember that privacy does not happen on its own. It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected. There is no way around this. It simply must be done. I believe the recommendations in our reports, including those to government, set out a path that, if followed, will ensure that appropriate actions are taken.” – Diane McLeod

by Erika Rolling