Ottawa Catholic School says breach at tech vendor PowerSchool compromised students’ data

The Ottawa Catholic School Board said a data security incident impacting technology provider PowerSchool has compromised the sensitive personal information of its students and staff.

 

In a data security incident notice published on its website, the school board said that on January 7, its K-12 software and cloud-based solutions provider, PowerSchool, notified it that it had experienced a significant data security incident that involved threat actors infiltrating its internal network and stealing a massive trove of student data.

 

The breach was first identified on December 28 when PowerSchool discovered that the threat actor had accessed and exported data using the “export data manager” feature in its software. 

 

According to the company’s investigation, hackers gained access to its network via compromised credentials that also enabled them to steal data from PowerSchool SIS databases, including sensitive information stored in the “Students” and “Teachers” tables.

 

The stolen data included names, addresses, Social Security Numbers, grade point averages, medical information, and more.

 

Soon after it was notified about the incident, OCSB launched an investigation, with assistance from external cyber security experts, to determine the scope of the incident. The investigation confirmed that the sensitive personal information of its current students and staff was affected during the incident. Also, former students and staff who were associated with the school district between 1998-1999 were affected by the incident.

 

The compromised data included names, dates of birth, addresses, places of birth, email addresses, gender, OCSB student numbers, Ontario Education Numbers, medical information, family details and more. Students who registered before September 2023 had their guardian names, guardian email addresses and emergency contact numbers accessed during the incident.

 

OCSB added that “PowerSchool is confident that the breach has been contained, and the accessed data has been deleted without being shared publicly.”

 

OCSB has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

 

OCSB’s announcement followed a similar one by the Toronto school district which said the PowerSchool data breach compromised student information dating back as many as 40 years. It said the breached data included students’ names, dates of birth, gender, health card numbers, Ontario education numbers, medical Information, home addresses, phone numbers and more.