The Calgary Board of Education (CBE) and Rocky View Schools (RVS) were among several Canadian school boards affected by a breach in PowerSchool, a cloud-based student information system. The breach, which occurred on December 28, 2024, was reported to both school districts on January 7, 2025. Unauthorized access was gained to demographic data of students and staff, but no financial information was compromised. PowerSchool, which serves many school boards across Canada, the U.S., and internationally, is currently investigating the incident with the help of a third-party security response team. Despite this, the full extent of the breach and the amount of data accessed remain unclear.
In response to the breach, both CBE and RVS have taken immediate action to limit access to the system. RVS communicated to parents that the breach was contained, but they were still working to gather more information. Both districts have assured their communities that the compromised data was limited to non-financial information and that their respective systems do not store any financial data. The schools are awaiting further updates from PowerSchool as the investigation progresses, and new details will be communicated to parents and staff as they become available.
PowerSchool has assured both districts that it has strengthened its security measures and notified law enforcement. It has locked down its system and changed all relevant passwords to prevent further unauthorized access. Furthermore, PowerSchool has worked to limit the damage, and investigations are ongoing to determine the full scope of the breach. The data breach has also affected several other school boards across Canada, including in the Edmonton area, Greater Toronto Area, and Nova Scotia, with many institutions still assessing the impact.
Cybersecurity experts, including Dr. Hadis Karimipour from the University of Calgary, have weighed in on the breach, calling it a “medium” threat. She explained that the vulnerability might stem from flaws in the PowerSchool software or outdated systems that could have been exploited by cybercriminals. Karimipour recommended that parents monitor the data stored in the system and take precautions by updating their passwords and avoiding sharing unnecessary personal information. The breach has highlighted the need for improved cybersecurity measures in systems handling sensitive educational data.
Reference:
