The privacy commissioner’s office has released its report on the cyber attack involving PowerSchool and the actions of the public bodies responsible for safeguarding the personal information within the PowerSchool system.
The cyber attack affected more than 271,000 students and 14,000 teachers in Newfoundland and Labrador.
NL Privacy Commissioner, Kerry Hatfield (OIPC)
Privacy Commissioner Kerry Hatfield announced last year that she was launching an investigation into the privacy breach involving the PowerSchool app, which compromised the personal information of students, parents and teachers in the K-12 system across the province.
A 19-year-old American college student pleaded guilty to hacking into the U.S.-based system and stealing the data of millions of students and teachers in a ransomware attack.
Hatfield’s office found that the PowerSchool privacy breach extended “far beyond” the current generation of teachers, students and parents. Information on teachers dated to 2010, while student information dated back as far as 1995.
The report identified weaknesses in contractual language governing PowerSchool’s services with the department, and concludes that the primary issue was not what PowerSchool committed to in its agreements, but its failure to meet those commitments in practice.
The privacy commissioner also found that the department, which was the public body responsible for the protection of personal information, “did not have sufficient oversight mechanisms in place to effectively monitor or verify PowerSchool’s compliance with its contractual and security obligations.”
Recommendations have been made to improve the clarity and effectiveness of future notification efforts. The report also recommends that the department directly notify a small group of current students who were identified as potentially having their Social Insurance Number information affected.
