School Board Update

Final Report Released on PowerSchool Cyberattack

· 4 min read By: Victoria McCorkindale

School Board Update

Final Report Released on PowerSchool Cyberattack

Date: November 20, 2025

On November 17, 2025, the Information and Privacy Commissioner of Ontario (IPC) released a Privacy Complaint Report regarding the January 2025 cybersecurity breach into Ontario school boards’ information by way of their third-party service provider, PowerSchool Canada ULC (PowerSchool).

The report found that in general the institutions involved did not have reasonable measures in place to prevent unauthorized access to personal information, nor did they respond adequately to the breach.

These findings underscore the importance for school boards to remain diligent regarding their obligations under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and the Freedom of Information and Protection of Privacy Act (FIPPA) to minimize the impact of future breaches and protect their institutions.

Scope and Impact of the Breach

Twenty school boards across Ontario in addition to the Ministry of Education were victims of the cybersecurity breach into the institutions’ Student Information System (SIS) through the provider, PowerSchool.

The personal information of approximately 3.86 million Ontarians was affected by the attack. The IPC received 12 complaints from parents, guardians, a teacher, and former students. Consequently, the IPC underwent an investigation to address confidentiality and security concerns.

The Cyberattack and Criminal Proceedings 

The cybersecurity breach was instigated by a threat actor who sent a ransom demand by email to PowerSchool in December 2024. PowerSchool paid the ransom in January 2025; however, ultimately received another email in May 2025, threatening the information of multiple school boards who utilized PowerSchool and consequently seeking an additional ransom payment to prevent the release of the data.

Ultimately, a 19-year-old student in the United States was discovered to be the instigator. The individual was charged with cyber extortion crimes, among other charges. The individual plead guilty in the United States to hacking two US-based companies’ computer networks (including PowerSchool) and extorting the companies for ransom payments. The individual demanded approximately $2.85 million in US dollars to stop him from leaking the data of more than 60 million students and 10 million teachers. The student was sentenced in Massachusetts to four years in prison. He was found guilty of cyber extortion conspiracy, cyber extortion and unauthorized access to protected computers.

The IPC Investigation: Two Core Questions

In its review into the breach, the IPC considered the following in relation to the school boards and the Ministry, with respect to their obligations under MFIPPA and FIPPA, respectively:

  1. Did the institutions have reasonable measures in place to prevent unauthorized access to personal information in accordance with the requirements of the Acts and their regulations?
  2. Did the institutions, as a whole, respond adequately to the breach?

Technical Vulnerabilities

With respect to the first issue, the IPC found that a number of vulnerabilities contributed to a threat actor successfully exploiting PowerSchool’s SIS and PowerSource, including the following: compromised credentials of an elevated user, the lack of multi-factor authentication (MFA) required for PowerSchool users to access PowerSource (through which SIS can be accessed), the “always on” feature for remote maintenance support, and the failure to detect and respond to the earlier unauthorized activities in a timely manner due in part to the limited log retention period.

Governance and Oversight Gaps

With respect to the second issue, the IPC noted its concern that some institutions still lacked various security measures including:

  • robust breach response plans and efficient early breach detection processes involving their service provider
  • clear retention schedules and processes for regularly purging personal information accordingly
  • proper monitoring, evaluation and enforcement of privacy and security measures to protect personal information held in PowerSchool’s SIS and PowerSource

Recommendations and Compliance Directives

Accordingly, the IPC found that institutions did not adequately respond to the breach.

The IPC in its report made recommendations to institutions to address these issues, to the extent they did not already comply with them. These recommendations included technical and security safeguards, contractual agreements and oversight measures, amongst other recommendations.

The IPC ordered institutions to provide the IPC with proof of compliance or the status of their efforts to comply within six months of receiving the report.

Conclusion

This is a significant report from the IPC in the wake of a highly publicized, large-scale cyber security breach involving numerous public sector entities in Ontario and the personal information of millions of people. It is important that the school boards impacted, in addition to any institution with obligations under privacy legislation, take steps to ensure compliance in the future.

If you have any questions regarding the Privacy Complaint Report, or need assistance with navigating your obligations under FIPPA and MFIPPA, please contact Victoria McCorkindale or your Hicks Morley Lawyer.  

The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©