BC Freedom of Information and Privacy Association
Your Data Your Rights
Livingstone Range School Division says student and staff information stored on an old PowerSchool server was accessed in last winter’s cybersecurity breach. The revelation comes as Alberta’s privacy commissioner concludes school authorities across the province failed to meet required security standards.
Jeff Perry, associate superintendent of business services at LRSD, confirmed that archived records covering 2012 to 2021 were compromised in the incident, despite the division ending its student information system contract with PowerSchool in 2021.
“When Livingstone Range School Division ended our SIS contract with PowerSchool in 2021, our data was decommissioned from PowerSchool’s current system. However, data from 2012-2021 that was stored on a PowerSchool server was accessed in the breach,” Perry told Shootin’ the Breeze.
The division’s Jan. 9 media release stated that its own investigation could not determine whether any LRSD staff or student information had been accessed, but committed to updating families if it learned archived data had been compromised.
LRSD followed up with a second public notice on Jan. 30 and created a webpage with available details.
PowerSchool began its notification process in February, using online notices, local media and emails where contact information was available.
New details emerged this month as the Alberta and Ontario information and privacy commissioners released separate but co-ordinated investigation reports on the breach, which affected more than 700,000 people in Alberta alone.
Ontario and Alberta commissioners co-ordinated their investigations under a memorandum of understanding to enhance collaboration and information-sharing in the handling of cross-jurisdictional investigations.
The reports conclude that educational bodies in both provinces failed to meet their legal obligations under provincial privacy legislation, including gaps in their contracts with PowerSchool and weaknesses in their oversight of the company’s security safeguards.
The Alberta report, released Nov. 17, outlines how the threat actor used stolen credentials belonging to a PowerSchool support employee to access PowerSource, the company’s support portal.
From there, it gained entry into student information systems used by dozens of school authorities. Once inside, the intruder accessed personal data belonging to students, staff and parents or guardians.
For students, the compromised information included names, ID numbers, gender, dates of birth, home addresses and phone numbers, medical details and personal health numbers.
For parents and guardians, contact details and custodial arrangements were accessed. Staff information included contact details, employee numbers and email addresses, and in some cases social insurance numbers.
In LRSD, more than 3,300 past and current students may have been affected, Perry said.
According to Perry, compromised records contained basic contact information and, in some cases, basic medical details such as asthma, diabetes or allergy notes. He said the archived records did not include financial information, birth certificates or academic achievement data.
The privacy commissioner’s investigation found that Alberta educational bodies did not have adequate policies or procedures to guide compliance with Section 38 of the Freedom of Information and Protection of Privacy Act.
The act requires public bodies to make reasonable security arrangements to prevent unauthorized access or disclosure. The report also concludes that gaps in PowerSchool’s security measures contributed to the breach and that because school authorities are accountable for their contractors, those failures created non-compliance under the act.
In total, the commissioner issued 22 recommendations — six directed at school authorities, 13 to PowerSchool and three to government. They include directing school authorities to strengthen vendor contracts with clear privacy and security requirements, improve monitoring and oversight of edtech providers, limit remote access privileges for support personnel and establish adequate breach-response protocols.
The report further calls on government to support school authorities by using procurement tools to strengthen bargaining power with edtech vendors and by providing technical guidance to assess security risks.
LRSD is now reviewing the report and its recommendations. Perry said the division will work with its educational community to incorporate any required policy and procedural changes in line with the findings and Alberta’s updated privacy legislation.
He said the division already made significant changes when it left PowerSchool in 2021.
“Ironically, one of the reasons we moved away from Powerschool in 2021 was to improve our security and data protection position, especially around multifactor authentication,” he said.
The division had switched to a student information system with stronger security features and modern software that integrates more closely with provincial reporting requirements and school-level tools.
“Our current SIS vendor provides modern software built on accepted standards and integrates more closely with our other backend services, our reporting requirements to the Province and with software used directly in our schools,” he said.
Perry said LRSD’s technology department has long conducted regular privacy impact assessments to identify and address risks and maintains a robust breach-response plan to detect, contain and communicate security incidents.
“Privacy and security have been at the forefront for our technology department for some time,” he said. “We have a robust response plan to help identify risk, detect a breach, plan for containment and recovery, and communicate proactively.”
He added that the division remains engaged with provincial partners on vendor oversight and best practices for software implementation.
As LRSD examines the commissioner’s report and considers further updates to its policies, Perry said the division will continue to ensure strong privacy and security provisions in future contracts and maintain communication with families as needed.
Holy Spirit Catholic School Division, which also uses PowerSchool as its student information system, said it likewise followed notification and reporting requirements after learning of the breach early this year.
In a statement to Shootin’ the Breeze, the division said PowerSchool confirmed that some information related to Holy Spirit families and staff was involved.“Since then, PowerSchool contained the incident and took steps to secure its systems. They also contacted individuals directly whose information may have been affected,” it said.
Following the incident, the division reported the breach to Alberta’s privacy commissioner, who has now completed the investigation and issued a final report.
The Local Journalism Initiative (LJI) is a federally funded program to add coverage in under-covered areas or on under-covered issues. This content is created and submitted by participating publishers and is not edited. Access can also be gained by registering and logging in at: https://lji-ijl.ca
You can support trusted and verified news content like this.
FIPA’s news monitor subscribers, donors and funders help make these available to everyone rather than behind a paywall. We appreciate every contribution because it makes a difference.
If you found this article interesting and useful, please consider contributing here.
