Cyberattacks can take entire school networks out. It's time to pay more attention to them, experts say

A flurry of school-related emails hits parents' inboxes most weeks — from pizza lunch flyers to school trip notifications — yet one dreaded update is becoming all too common: notice of a cyberattack. 

Students in one Ontario board returned from winter break this past Monday to classrooms with no internet and disrupted communications thanks to a cyber incident. Days later, multiple school divisions across Canada — including the country's largest — informed families about a significant data breach connected to PowerSchool, a widely used outside provider that manages functions like students' personal information and communication with parents.

"It's basically a one-stop shop for anything to do with that student," said Ron Eberts, associate superintendent of technology and information services at Red Deer Public Schools, one of the Alberta school divisions affected.

"It's not just a Newfoundland and Labrador issue. This is a very widespread issue," Krista Lynn Howell, the N.L. education minister, said Wednesday as her province was also hit . "This platform has been provided to numerous schools right throughout North America." 

Cyberattacks can do serious damage: one might derail day-to-day operations in every single school by knocking out integrated, board-wide networks; another may endanger the vast trove of information schools collect from students, families and staff. More attention and action is needed, experts say, to strengthen school boards' defences.

An attractive target 

Cyberattacks are on the rise and have increased in scope, frequency and sophistication, says Ontario's privacy commissioner, Patricia Kosseim. Like other public institutions, schools are attractive targets.

"They hold vast amounts of personal information. They provide services that must continue.... They don't have the choice of just closing down business for a few weeks," she said. These are "vulnerable institutions that [cyberattackers] can really force into paying ransom."

WATCH | You just got a school cyber incident notice. What does it really say?: 

Your kid's school just sent a cyber incident email. What does it mean?

7 hours ago

Duration 4:12

Cybersecurity expert Ivo Wiens parses some recent cyberattack emails from Canadian school boards, shares what he looks out for and flags questions parents should be asking when (not if) these land in your inbox.

An early December attack on Manitoba's Pembina Trails School Division underlines how much daily school operations rely on internet-connected networks and applications. 

It "shut down basically everything we use: computers, P.A. systems, attendance [tracked] online. There was no internet.... Anything that we'd use in a normal school in the modern age was pretty much wiped out," said Gr. 10 student Sabastian Kelly, who saw peers grow restless and frustrated as the disruption stretched to the winter break. 

About a month later, the situation has improved but still isn't quite normal, the teen noted: "I would honestly like to see more precautions for this sort of thing.... Like one system going down shouldn't knock out everything in the division."

At the end of the day, cyberattackers are looking for money, says Ivo Wiens, field CTO of cybersecurity for internet technology services firm CDW Canada, so that could mean forcing a school board (or edu-tech company) to pay a ransom to get their systems restored or to have compromised school info deleted. Alternatively, they might just use the data for fraud.

Wiens describes a student's name, home address and phone number as "a fresh identity" that, coupled with a faked social insurance number, can be used to apply for things like loans or credit cards. Imagine opening a mailed overdue payment notice for a loan or card in your child's name.

"It's a very calculated game by these attackers and they know that there is, relatively speaking, cash to be grabbed," he said.

Official tracking of cyber incidents in Canadian schools is murky. Just five jurisdictions have a mandatory requirement for public K-12 schools to report cyber incidents resulting in privacy breaches, according to privacy commissions in each province and territory contacted by CBC News (all responded but New Brunswick).

Of the five with mandatory reporting:

• B.C.: Since 2020, 101 overall privacy breach notifications from districts. Nineteen specific cyber breaches since February 2023, when reporting by type was introduced.
• Manitoba: Four voluntary reports from 2020 to 2022, when reporting became mandatory. Then, zero in the 2022-2023 and the 2023-2024 fiscal years.
• Quebec: Declined to share number of incidents.
• Northwest Territories: Does not keep records of cybersecurity incidents specifically.
• Newfoundland and Labrador: Zero reported by K-12 schools in the past five years, prior to this week's.

Some privacy offices are tracking the cyberattacks voluntarily reported by schools (24 in Ontario since 2021; three in Nova Scotia since 2020). Meanwhile, Alberta tallies overall privacy breaches (arising from cyber incidents or other reasons), with 184 reported by public school districts from 2020-2024. 

"I like to say cybersecurity is a team sport," Rosseim said, and mandatory reporting would allow a provincial privacy regulator to better support institutions hit by attacks.

Protection in being proactive

Schools can also suffer from lack of investment into IT and cybersecurity compared with other sectors, like finance or insurance, Wiens says. 

At the very least, school boards should have an incident response plan in place for cyberattacks, but given their prevalence, Kosseim wants to see other proactive measures to mitigate risks, as well.

Her suggestions include limiting the collection of student data to only what's absolutely necessary, IT teams running through their response plans for practice and boards more often collaborating to share resources and best practices with each other. 

Kosseim also advocates for updated privacy legislation across the different levels of government to eliminate gaps in protecting students' school data.

In the meantime, while cyberattacks can't be completely prevented, Kosseim feels there is much boards can do proactively, "because it's the right thing to do, not just because the law says you have to."

She encourages boards to rigorously review the privacy protections of the applications students and staff use — and team with peers and education ministries to collectively demand stronger standards from third-party vendors. 

That's precisely applicable to this week's PowerSchool breach, which compromised even those who have upped their defences, like Red Deer Public. The division's tech superintendent Eberts noted they'd already made improvements, like  staging monthly cybersecurity awareness training sessions with staff and keeping guests on separate networks.

This week's breach came, however, through a PowerSchool maintenance account used for tech support, he explained after a briefing held for clients. 

"We've learned our lesson," Eberts said. "We're in the process of increasing our security requirements for our vendors as well now."

When attacks happen, families need more honest and updated communication, says Toronto dad Jack Ammendolia. Following an incident in his son's board last year, he sought clarification, only to be met with form responses and what he called frustrating exchanges with a school admin and superintendent.

"If in one breath it's not a big deal and we're pretty [sure] no serious information has gotten out there, then why are you scouring the dark web?" he pointed out this week, referring to the sometimes contradictory messaging from the school board. His interview with CBC was interrupted by an email about the new PowerSchool incident.

Cyberattacks are going to happen, he said. 

"Just be really clear and transparent about what exactly has transpired so we are fully aware, and maybe it allows us to be able to be more proactive as a parent."