The majority of Manitoba school divisions have been impacted by a data breach involving a popular software program used to track student and employee contact information.
More than 20 superintendents have informed families in recent days that PowerSchool — the owner and operator of their shared student-information system — was hacked in late December.
Customers across Canada and the U.S., where PowerSchool’s Folsom, Calif. headquarters are located, have been affected to varying degrees.
The Winkler-based Garden Valley School Division was advised it was not impacted. Others, including Sunrise School Division, were not so lucky.
“We believe that the data accessed included information about students and staff — particularly contact information and other information provided to the division at the time the student was registered, or when staff commenced their employment,” superintendent Trevor Reid wrote in a mass email to families and employees from Oakbank and surrounding communities.
Reid noted the company, not Sunrise in and of itself, was the target of the cyberattack. He also assured students and employees that neither banking data nor student photos appear to have been accessed by hackers.
His letter mirrored ones sent by Louis Riel, River East Transcona, Seine River, Portage la Prairie, Brandon, Mountain View, Hanover, Prairie Spirit, Prairie Rose, Southwest Horizon, Lakeshore, Flin Flon, Beautiful Plains, Swan Valley, Border Land, Western, Kelsey, Frontier and the franco-manitobaine district.
One of the memos indicates PowerSchool paid a ransom fee to delete data that was obtained to keep it from being released.
The company is investigating the incident and announced a “town meeting” for affected divisions. It has also pledged to share a report compiled by CrowdStrike, a cybersecurity technology company, with clients by Jan. 17.
A spokesperson for PowerSchool said emergency response protocols were OVERSET FOLLOWS:initiated on Dec. 28 after the discovery of “unauthorized access” to student records via a customer portal.
The company does not expect any disruptions to service as a result of the situation and remains committed to taking its role as a data processor “extremely seriously,” the spokesperson said.
Manitoba administrators have told communities the provider is confident the breached data was deleted and not copied or uploaded elsewhere.
Accounts have been deactivated and there are new, bolstered processes for passwords and access, per the series of letters that appear to have been customized from a generic template.
The situation is unfolding as the Pembina Trails School Division — which was not affected by this cyberattack — works to restore operations after an unauthorized third-party accessed student information and employee payroll details before the winter break.
The education sector is a common target because of the “large attack surface” of its stakeholders — campuses typically have multiple systems and networks — and their diverse user bases, said Gustavo Valle, director of information security at Exchange Technology Services.
Valle said the rise of remote learning, school budget constraints and the sensitivity and high value of stored data makes the entities vulnerable.
“There is no such thing as 100 per cent protection,” he wrote in an email in which he warned against placing blame before any investigation is complete.
At the same time, he said good “information technology hygiene” involves strong and up-to-date password policy and enabling multi-factor authentication.
“Additionally, users must be educated on how to identify attacks and threats to avoid falling for phishing attacks, social engineering, and similar risks,” Valle added.
Sandy Nemeth, president of the Manitoba School Boards Association, confirmed the “vast majority” of the group’s 38 members use PowerSchool as a provider, but she declined to provide further comment.
The Seine River School Division has published a detailed list of information from schools in Lorette and surrounding communities that may have been compromised, per internal logs.
Superintendent Colin Campbell said student names and corresponding registration numbers, birthdays, grade levels, homerooms, guardian and sibling names, home phone numbers and addresses, as well as family doctor contact information, are all in question.
Employee records containing names, phone numbers, email addresses and both staff identification and school location ID might also have been exported, Campbell said in a mass email.
One IT specialist said he believes his employer was protected from the leak because he had turned off an automatic switch that allowed PowerSchool to enter its network to fix problems upon request. “We got lucky,” said the employee, who was not authorized to speak on the record.
A spokesperson for Manitoba Education said in a statement that divisions are responsible for their own student-information systems and the department is in communication with those affected.
For Mike Moroz, inaugural minister of innovation and new technology, every Manitoban has a responsibility to protect online data.
“This is a new world. (The digital realm) is where some of the criminal activity’s going to take place,” Moroz said in an interview Thursday.
The minister said his newly established office is learning from incidents that occur in Manitoba and elsewhere to update protocols, better protect public entities and create best-practice guidelines for the private sector.
The Manitoba Federation of Independent Schools was unaware of any private schools being affected as of Thursday afternoon.
maggie.macintosh@freepress.mb.ca
The Local Journalism Initiative (LJI) is a federally funded program to add coverage in under-covered areas or on under-covered issues. This content is created and submitted by participating publishers and is not edited. Access can also be gained by registering and logging in at: https://lji-ijl.ca.
You can support trusted and verified news content like this.
FIPA’s news monitor subscribers, donors and funders help make these available to everyone rather than behind a paywall. We appreciate every contribution because it makes a difference.
If you found this article interesting and useful, please consider contributing here.