Privacy Commissioner releases report into PowerSchool cyberattack

The Office of the Information and Privacy Commissioner has released a report examining the PowerSchool cyberattack that compromised the personal information of students, parents, guardians and teachers across Newfoundland and Labrador’s K–12 education system.

The report reviewed the actions of the Department of Education and Early Childhood Development, the public body responsible for safeguarding information stored in the PowerSchool Student Information System.

The investigation was launched by Information and Privacy Commissioner Kerry Hatfield under the province’s Access to Information and Protection of Privacy Act, 2015. It examined whether the department had adequate security measures in place at the time of the breach and whether its response was appropriate.

The OIPC found the breach affected a broad range of individuals, including current and former students and educators. Teacher records in the system dated back to 2010, while student records extended as far back as 1995. As a result, anyone who attended school or had a child in the K–12 system since 1995 may have been impacted.

While the report identified weaknesses in the contractual language governing PowerSchool’s services, it concluded the primary issue was the company’s failure to meet its obligations. It also found the department lacked sufficient oversight mechanisms to effectively monitor and verify PowerSchool’s compliance with security and contractual requirements.

The report made several recommendations, including strengthening contractual requirements, improving oversight, and enhancing information management and security practices.

It concluded the department took reasonable steps in responding to the breach, but called for clearer and more effective notification processes. It also recommended direct notification to a small group of current students whose Social Insurance Number information may have been affected.

The breach included MCP numbers from 244,917 student records. The report found the department’s collection and retention of MCP numbers was not authorized under the legislation and recommended it immediately stop collecting the data and permanently remove existing records.

“This was a significant breach that affected hundreds of thousands of people across the province, many of them children,” Hatfield said in a statement. “Protecting personal information requires active oversight, limited collection, and ongoing verification that safeguards are working as intended.”