Canada Investigates PowerSchool Data Breach: Millions of Students and Staff Affected

Introduction to the Breach and Investigation

In a troubling turn of events, Canada’s Privacy Commissioner, Philippe Dufresne, has announced the launch of an investigation into a significant data breach involving PowerSchool, a widely used student information system. The breach, which occurred in late December 2024, exposed the personal data of millions of current and former students, as well as thousands of staff members across the country. This incident has raised serious concerns about the security of personal information in the education sector and has prompted a thorough probe under the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Scope of the Breach and Initial Response

The breach has affected school boards not only in Canada but also in other countries where PowerSchool operates. According to reports, over 2.77 million current and former students in Canada had their data accessed, along with 35,951 staff members, including teachers. Additionally, at least one Nova Scotia school board confirmed that 3,500 parents’ data was also compromised. The exposed information includes names, contact details, dates of birth, limited medical alert information, and in some cases, social insurance numbers. PowerSchool has begun notifying affected individuals and is providing credit monitoring and identity protection services to help mitigate potential harm.

The Investigation and Regulatory Collaboration

Commissioner Dufresne emphasized that his immediate priority is ensuring PowerSchool takes swift and effective action to contain the breach, reduce risks for those affected, and implement measures to prevent similar incidents in the future. His office is actively collaborating with provincial and territorial privacy authorities to address the issue comprehensively. The investigation comes more than a month after PowerSchool started notifying users about the breach, underscoring the complexity and scale of the incident. Global News reached out to school boards across Canada and found that at least 87 boards were impacted, though not all were able to provide detailed numbers as they continue to assess the full extent of the breach.

Legal Recourse and Class-Action Lawsuit

In response to the breach, a class-action lawsuit was filed in January 2025 by the Calgary-based law firm Cuming and Gillespie. However, lawyer Craig Gillespie noted that there is currently “no urgent call to action” for individuals to join the lawsuit, as it is still in the certification stage. Once certified, notices will be sent out to eligible participants. This legal development highlights the growing trend of holding companies accountable for data protection failures and seeks to provide recourse for those whose personal information has been compromised.

Lessons Learned and the Need for Enhanced Data Security

The PowerSchool data breach serves as a stark reminder of the vulnerabilities in digital systems that handle sensitive personal information. As schools and educational institutions increasingly rely on technology to manage student records, the need for robust data security measures has never been more urgent. This incident also underscores the importance of transparency and timely communication with affected individuals, as well as the need for proactive steps to prevent future breaches.

Moving Forward: Vigilance and Accountability

While PowerSchool and regulatory authorities work to address the fallout from this breach, the broader implications for data protection in Canada cannot be overlooked. The Privacy Commissioner’s investigation and the class-action lawsuit are critical steps toward ensuring accountability and safeguarding personal information. For individuals affected by the breach, vigilance is key. Monitoring credit reports, being cautious of phishing attempts, and taking advantage of the identity protection services offered can help mitigate potential harm. As this situation continues to unfold, it serves as a call to action for organizations and individuals alike to prioritize data security and privacy in an increasingly digital world.