Cyberattack affecting school boards across Canada may involve decades of data. What can families do?

Over the past two weeks, school boards across Canada — including the country's largest — have revealed details about a major data breach connected to PowerSchool, an outside provider K-12 schools use to manage student info.

As investigations into the cyberattack continue, a broader understanding of the incident is emerging, with some boards saying that student data dating back decades may be impacted.

Despite the breadth of data that could be potentially accessed, however, experts say there are still measures families and schools can take to protect themselves.

Who's been affected? 

School divisions across Canada — in Alberta, Ontario, Manitoba, Newfoundland and Labrador, Nova Scotia, Northwest Territories, Prince Edward Island and Saskatchewan — use PowerSchool, primarily to manage student personal and sometimes medical information, grades and other learning details. Some use it as a portal to communicate with families.

Officials are working with PowerSchool to determine the extent of the breach, which occurred in late December when a back-end account used to offer school boards technical support with the platform was compromised. 

WATCH | Tech analyst Carmi Levy on the PowerSchool breach: 

Tech analyst Carmi Levy on the PowerSchool cyber breach and its targeting of sensitive data

11 days ago

Duration 7:50

Get the latest on CBCNews.ca, the CBC News App, and CBC News Network for breaking news and analysis

Speaking about the breach on Jan. 8, Newfoundland Education Minister Krista Lynn Howell noted student info from 1995 onward was affected. 

Other education ministries and school board leaders have also been revealing what specific data was included in the breach and just how far back it goes. It ranges from social insurance numbers of past and longtime school staff in Cape Breton, for instance, to student information from as far back as 1965 within the Peel District School Board.

What kind of student data was impacted?

Names, birthdates, home addresses and phone numbers are commonly cited as the data accessed about recent students.  

However, depending on the board, other information — such as student ID numbers, grade, gender, medical info, emergency contacts and disciplinary notes — might also have been accessed. The severity of the incident has also attracted the attention of Canada's privacy comissioner.

How are students getting updates about the incident?

At Canada's largest school board, the breach potentially affected data from September 1985 to December 2024, covering about 1.49 million students, estimates Toronto District School Board spokesperson Ryan Bird.

Past student info, including from boards that became the TDSB, is kept to allow for record requests after the fact, he noted. 

Along with emailing current families, "we have to try to reach far and wide to let people know that they may have been impacted," he said Tuesday, adding that updates are posted on the TDSB's online "hub of resources," a common approach by many affected boards. 

"PowerSchool has given us assurances that the information that was copied has been deleted," Bird said. "It has not appeared, to our knowledge, online anywhere."

He said that boards are also awaiting final details about how to access credit monitoring and identity theft protection PowerSchool is offering. 

"We are doing this regardless of whether an individual's Social Security Number was exfiltrated," the company noted in a statement. 

WATCH | You just got a school cyber incident notice. What does it really say?: 

Your kid's school just sent a cyber incident email. What does it mean?

12 days ago

Duration 4:12

Cybersecurity expert Ivo Wiens parses some recent cyberattack emails from Canadian school boards, shares what he looks out for and flags questions parents should be asking when (not if) these land in your inbox.

How can student data be used?

With basic info like a student's name, grade and a parental email, cybercriminals could easily craft a phishing scam to extract credit card info, says Tony Anscombe, an expert from cybersecurity services firm ESET.

That could look like a note urging you to click a link to pay for your third-grader's school trip, for example. Or it might spoof a note from your school division, inviting you to sign up for credit monitoring after this very breach, he noted.

Alternately, a student name and home address could potentially be coupled with a faked date of birth to create a credit request or apply for a piece of ID, the 30-year cybersecurity veteran said from Brighton, England on Tuesday.

Other details — like prescription medications and notes about learning challenges — could be joined with information from a separate incident and "together, they may well have actually have enough of the puzzle to now go and breach somebody's identity [and] extort money from them."

What can parents and schools do?

Anscombe says that there are still steps parents can take following the breach. 

• Talk to your kids about the breach so they can watch for anything odd in school emails, like phishing attempts, Anscombe says.
   
• Change your password on school accounts. If password recovery prompts include info that may have been compromised (e.g. your mother's maiden name), change those, too.
   
• Turn on two-factor authentication for all accounts. 
   
• Set up credit monitoring for your kids. Anscombe says that once a free account is created, it can be used to lock the credit record. "It stops anybody actually using it until you unlock it."
   
• Be skeptical about email offers. A cybercriminal could create an email scam offering credit monitoring and protection against identity theft, he says, something that would involve revealing a lot of sensitive data. Check if the offer is real by going to your board's website or calling them to confirm, rather than immediately clicking on a link in an email. "Verify everything that turns up and trust nothing." 
   
• When prompted to input personal details for school forms, consider if every field is absolutely necessary to fill in and ask the school about it. "Understanding that our data has value and that we're leaving our value in too many places where it could be stolen, I think, is a really good mindset," Anscombe said. 

The breach could prompt schools to revisit what types of student info they keep on file. Schools do ask for a lot of personal information each year, Bird acknowledged, but in the wake of the breach the TDSB has decided to stop collecting health card numbers and will delete the ones it did collect from its system, he said. 

Underfunded school boards can lack the cybersecurity resources and skill sets of other sectors, Anscombe noted, but  school district IT departments can still take action regardless.

His suggestions for boards include establishing good cybersecurity practices, being proactive by staging "tabletop exercises" to run through how to respond to potential breaches and ensuring third-party software or services have strong security procedures in place and regularly auditing those procedures.  

While some say school cyberattacks are a case of when, not if, Anscombe believes they don't have to happen and can be avoided if schools have the right processes and cybersecurity in place. 

"Cyber criminals will go and look for the lowest hanging fruit," he said.