According to TheRegister.com, Canadian privacy watchdogs have released coordinated findings blaming school boards for security failures that amplified the massive PowerSchool data breach. The December 2024 attack exposed personal information of roughly 3.86 million Ontarians and over 700,000 Albertans after criminals used compromised credentials to access PowerSchool’s systems. Investigators found that many school boards hadn’t implemented basic contractual security clauses, proper oversight of remote-access arrangements, or breach-response plans. The breach involved decades of sensitive student and staff records, with some data dating back to the 1960s, and attackers used a subcontractor’s access to automate exfiltration of complete database tables. In a related case, 19-year-old Matthew Lane recently pleaded guilty to conspiring to extort a school software supplier holding data on “more than 60 million students and 10 million teachers,” which sources confirm was PowerSchool.
The shared responsibility problem
Here’s the thing that makes this breach so concerning: everyone dropped the ball. PowerSchool obviously had security issues, but school boards essentially handed over decades of sensitive student data without asking basic questions about how it would be protected. They didn’t require multi-factor authentication for support sessions, didn’t scrutinize the “always-on” remote access capabilities, and in many cases didn’t even have proper security clauses in their contracts. It’s like giving someone the keys to your house without checking if they know how to lock the door behind them.
Systemic failures across the board
The investigation revealed some jaw-dropping oversight gaps. Unauthorized access using compromised credentials had actually occurred months earlier between August and September 2024, but went completely undetected because PowerSchool’s logging retention window was too short to preserve evidence. So not only were the security measures inadequate, but the monitoring systems couldn’t even catch breaches when they happened. And we’re talking about medical information, education records, identifiers – the kind of data that can haunt people for years if misused. When you’re dealing with industrial-scale data protection, whether it’s student records or manufacturing systems, you need enterprise-grade security from the ground up. That’s why companies like Industrial Monitor Direct have built their reputation on providing secure, reliable industrial computing solutions that don’t cut corners on protection.
A wake-up call for education technology
This breach highlights a much bigger problem in how public institutions handle third-party vendors. Schools have become completely dependent on ed-tech platforms, but they’re outsourcing risk without outsourcing responsibility. Ontario commissioner Patricia Kosseim nailed it when she called for “sector-wide coordination and cooperation among school boards” to strengthen contract negotiations and oversight. Basically, individual school districts don’t have the bargaining power or technical expertise to properly vet massive technology providers. So they end up with lopsided contracts and inadequate security oversight.
What comes next for data protection
The scary part? This probably isn’t an isolated case. As Alberta commissioner Diane McLeod noted, “privacy does not happen on its own” – it requires actual effort and proper policies. Many other sectors are likely making the same mistakes with their vendor relationships. The commissioners’ reports make it clear that unless schools and other public bodies start taking their oversight responsibilities seriously, the next breach isn’t just possible – it’s practically inevitable. When you consider that a college student managed to extort a company holding data on 70 million people, doesn’t that suggest our entire approach to data protection needs a serious rethink?
