Canadian privacy regulators say schools share blame for PowerSchool hack

Two Canadian provincial governments on Monday released investigative findings which laid significant blame for the massive PowerSchool data leak with the school systems whose students’ and teachers’ data was exposed.

The Ontario and Alberta information and privacy commissioners’ reports fault the school systems for several missteps, including not putting privacy and security related provisions in their contracts with the education software firm and failing to “effectively monitor and oversee” PowerSchool’s security guardrails, particularly in regard to multifactor authentication. 

The PowerSchool hacker breached the company’s data systems by exploiting a lack of multifactor authentication requirements, which are considered standard security protocol.

A Massachusetts college student broke into PowerSchool’s systems in December, obtaining data belonging to more than 62 million students and 9 million teachers. In Toronto alone, data belonging to students going back to 1985 was leaked, including special education and disciplinary records.

The investigative reports found other flaws in how schools dealt with PowerSchool, including the fact that they did not limit remote access to their student information systems by PowerSchool support personnel “for only as long as necessary to address specific technical issues,” according to a press release from the Ontario commissioner. 

Schools also did not have appropriate breach response plans ready to go, the press release said.

The regulators issued several recommendations including that schools:

• Review and when necessary renegotiate agreements with PowerSchool to feature more robust privacy and security provisions

• Put systems in place to more effectively oversee PowerSchool’s security program

• Limit remote access to their student information systems 

• Implement plans for better breach responses in the future