Canadian School Systems Faulted in PowerSchool Data Breach
Canadian privacy regulators released investigative reports attributing significant responsibility for the PowerSchool data breach to the school systems that used the platform. The breach, which occurred in December, exposed personal information of over 62 million students and 9 million teachers, with data in some cases dating back to 1985. The reports highlighted that the affected schools failed to include adequate privacy and security provisions in their contracts with PowerSchool, did not effectively monitor the company's security safeguards, and lacked proper breach response protocols. Additionally, the lack of multifactor authentication and insufficient limitations on remote access for PowerSchool support personnel were cited as key security lapses.
The Ontario and Alberta information and privacy commissioners recommended that schools renegotiate contracts to strengthen privacy and security requirements, implement better oversight of third-party vendors, and establish more robust breach response plans. The incident underscores the importance of comprehensive vendor management and the need for educational institutions to enforce standard security practices, such as multifactor authentication, to protect sensitive student and staff data.
Timeline
Nov 19, 2025
Canadian privacy regulators release findings on PowerSchool breach
Privacy commissioners in Ontario and Alberta issued coordinated findings in November 2025 concluding that Canadian school boards shared responsibility for the PowerSchool breach alongside the vendor. The reports cited weak contracts, poor oversight of vendor access, lack of MFA for support sessions, and inadequate breach-response planning.
May 1, 2025
Matthew Lane pleads guilty in extortion conspiracy case
A 19-year-old Massachusetts student, Matthew Lane, pleaded guilty in May 2025 to conspiring to extort a school software supplier. A source indicated the targeted company was PowerSchool.
Dec 1, 2024
PowerSchool reportedly pays ransom after the intrusion
After the December 2024 breach, PowerSchool reportedly paid a ransom and said the stolen data had been deleted. Later extortion attempts against individual districts suggested the data may not actually have been wiped.
Dec 1, 2024
PowerSchool breach exposes student and staff data
In December 2024, attackers used compromised credentials to access PowerSchool data, exfiltrating entire database tables. The breach affected about 3.86 million people in Ontario and more than 700,000 in Alberta, exposing personal, educational, and in some cases medical information.
Aug 1, 2024
Unauthorized access to PowerSchool systems goes undetected
Investigators found earlier unauthorized access to PowerSchool systems between August and September 2024. The activity was not detected at the time because of the company's short log-retention window.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
PowerSchool SIS Breach Exposed Student and Staff Data
PowerSchool disclosed a security incident affecting its Student Information System (SIS), a platform widely used by K-12 school districts to manage student records, enrollment, attendance, grades, and related administrative data. Reporting on the breach indicates attackers accessed sensitive information stored in SIS environments, with exposed data potentially including student and staff names, contact details, dates of birth, Social Security numbers, medical information, and other school records, depending on the district. The incident raised broad concern across the education sector because a compromise of a centralized SIS provider can affect many districts at once and expose minors' data alongside employee information. Public coverage and PowerSchool's incident communications indicate the company moved to investigate and notify affected customers, while schools and families were urged to review breach notices, monitor for identity theft, and assess the long-term privacy impact of the exposure of highly sensitive educational records.
4 days ago
French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its `Compass` platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about **243,000 people**, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on **multi-factor authentication**, stronger data segmentation, and reduced application exposure. Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about **1.5 million people**. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves **"Ryolait"** allegedly offered the stolen database for sale starting at **$2,000**. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
1 months ago
US Data Breach Reporting Transparency and State Notification Enforcement Gaps
The Identity Theft Resource Center (ITRC) reported a record **3,322** data breaches in the US last year, while noting that roughly **70% of breach notices lacked key incident details**, limiting defenders’ ability to understand scope, root cause, and affected data. The reporting gap was attributed to inconsistent state breach-notification laws and uneven enforcement; while all states and several US territories require some form of consumer notification for certain PII exposures, only **34 states** require breach reporting to state agencies. The ITRC also cited the **PowerSchool** incident as the largest US cyber incident of the year. Separately, Blue Cross Blue Shield of Montana (BCBSMT) disclosed that up to **462,000** members may have been affected by a “cyber incident” at third-party vendor **Conduent**, and the matter is now trending toward litigation over whether the Montana State Auditor has authority to investigate under a new state breach-reporting law effective **Oct. 1, 2025**. BCBSMT argues the incident pre-dated the law’s effective date and that its notification to the auditor was a courtesy, while reporting also noted the apparent absence (as of publication) of a corresponding entry from BCBSMT or Conduent on the US HHS public HIPAA breach portal. A separate blog post about a purported “**16 billion leaked credentials**” compilation describes an aggregated infostealer-driven credential corpus rather than a single breach and does not materially relate to the US breach-notification transparency and enforcement issues described above.
1 months ago