PowerSchool paid hackers a fee to delete stolen data: Manitoba school board memo

A cyberattack that exposed student information on a web-based management system has impacted 80 per cent of Manitoba school divisions across the province, according to a cabinet spokesperson.

PowerSchool is a California-based provider of cloud software to over 16,000 customers in more than 90 countries. The company informed its Manitoba customers on Tuesday that a cyber incident had occurred on Dec. 28 and that some specific student information had been compromised.

"There's some conversations now, going around, that maybe they waited too long to inform people … it took until the beginning of January before people started to find out," said David Gerhard, head of computer science at the University of Manitoba.

Superintendent Colin Campbell of the Seine River School Division — one of the school divisions affected — said in a Wednesday notification letter that an investigation showed students' names, date of birth, home phone numbers, gender and sibling information may have been exported during the cyber incident.

In a notification letter from Prairie Skies School Division, superintendent Cheryl Mangin said PowerSchool hired the firm CrowdStrike to negotiate with the people responsible for the hack.

"A fee was paid by PowerSchool SIS to delete the data and keep it from being released," said Mangin.

"Through reasonable efforts and with assurances, PowerSchool SIS is confident the incident has been contained," Mangin said.

Data ransoms get paid only if hackers can show evidence, like video, that the data was destroyed, said Gerhard. 

Video evidence that shows the stolen data being deleted is easy to fake, he says.

"It would not be difficult to make that video evidence, and the data evidence, completely legitimate ... but have that happen after another copy of the data has already been made," said Gerhard.

"This is a trust relationship with an organization that is inherently untrustworthy, these hackers, whose job it is to steal information and sell it on the black market," Gerhard said.

Cybersecurity expert Ivo Wiens previously told CBC that data involving children's personal information has value because it can be used to create a synthetic social insurance number to apply for credit.

Last month, Pembina Trails School struggled for weeks when a cyberattack shut down its network, including email, phone systems and printers, and also may have exposed the banking, social insurance numbers and compensation details of the school's staff.

Provincewide data dashboard

In Manitoba, 28 out of 37 school divisions are currently using or are in the process of converting to PowerSchool, acting education minister Tracy Schmidt said in the legislature in October.

Previously, Manitoba's Progressive Conservative government was planning to administer a provincewide student information system, but NDP Minister Schmidt said the scope of the PC gov­ern­ment's plan was "costly and time-consuming."

"What we've shifted towards is a focus on out­come indicators and a system that leverages existing data and systems," said Schmidt previously.

The province instead is introducing the up and coming "data dashboard," which will be a front-facing service that consolidates information to ensure consistency and accessible data sharing, Schmidt said in a Friday interview with CBC News.

"The data dashboard we're looking at is a way of accumulating data that comes from places like PowerSchool," said Schmidt.

Schmidt said it's too early to know how the PowerSchool data breach will impact progress on the province's data dashboard, but Manitobans can expect to hear something from the province shortly.

"We're going to have to take this one step at a time, but again, we're going to work with our school divisions to make sure that unfortunate incidents like this are less likely to occur," Schmidt said. "Unfortunately, there's really no guarantee of data protection these days." 

PowerSchool did not respond to requests by CBC News on how the company could be sure the data had been deleted.

Gerhard says it's probably only because PowerSchool is such a big player in the student information data market that they are getting so much attention.

"I believe the same thing could happen to other organizations," Gerhard said.

"At some point some people might decide that they didn't do a good enough job, or that they did everything right and it still happened anyway."