Ransom paid to hackers over Sask. school data is 'no guarantee': privacy commissioner
Grace Hession David's report examines how a hacker stole sensitive information of students and teachers, and what steps could've stopped the privacy breach from occurring.
Article content
Hand over 30 bitcoins, or else.
Or else what?
Or else the personal information of students, parents and teachers, including some from Saskatchewan, would be leaked. Information like names, dates of birth, social insurance numbers, medical information and contact information.
This was the threat a software company called PowerSchool faced, as the year 2024 came to a close, according a recent report from Grace Hession David, the Saskatchewan Information and Privacy Commissioner (SIPC). The report examines the incident that affected Prairie Spirit School Division (PSSD), which serves communities around Saskatoon.
What’s Bitcoin, and how many people were affected?
Bitcoin is a form of cryptocurrency, and the value of one unit of the digital currency fluctuates.
A man from Massachusetts was charged in relation to the hacking incident. American court documents outlining his charges state that when the ransom demand was received by PowerSchool, 30 bitcoins were worth approximately $2.85-million USD.
Prairie Spirit School Division, which had used PowerSchool information management software, notified the SIPC office of the privacy breach on January 9, 2025. According to PSSD, 28,635 student records and 4,130 teacher records were impacted. Those numbers include originals and duplicates.
However, the Saskatchewan school division was not the software company’s only client. The American court documents state the ransom demand threatened to leak the data of “more than 60 million students and 10 million teachers.”
Years pass without a purge
The commissioner’s report notes that in January of 2022, PSSD began a process to discontinue business with PowerSchool. It requested cancellation of its subscriptions.
A contract between the software company and the school division stated that upon termination of services, all of the division’s data would be “destroyed and formal notification of this deletion will be sent to the PSSD within 5 days of the request,” according to a provision quoted in the commissioner’s report.
The SIPC report indicates that in January 2024, the division pursued an answer from the company on why the shutdown had seemingly not been completed and requested confirmation that data had been deleted.
In March 2024, PowerSchool responded that the server had been “decommissioned” and the division asked when its data would be “fully purged.” It did not get a direct answer, according to the SIPC report.
Then September 2024 rolled around and a “threat actor” used the login credentials of a PowerSchool contractor to obtain access to the data. In December 2024, the information was transferred from PowerSchool’s server to one located in Ukraine, the SIPC report states.
Soon after, PowerSchool became aware of the breach and received the ransom demand. The report indicates the company “made the decision to pay a ransom,” but does not indicate when or in what amount.
The Leader-Post contacted PowerSchool and asked for this information.
In an emailed response, a spokesperson wrote: “While we cannot comment on the ransom, we believed at the time it to be in the best interest of our customers and the students and communities we serve.”
“We recognize how this incident has affected our customers and continue to be here to help as we navigate the path ahead together,” the emailed statement from PowerSchool reads.
It notes the company has strengthened its systems and processes and states further information on the company’s response is available on its website.
The commissioner’s report offers the grim reality of such situations.
“PowerSchool paid a ransom fee to the threat actor despite the risk that the stolen data could never be confirmed as purged,” Hession David wrote.
“Sadly, in circumstances such as this, there can be no guarantee of containment.”
What went wrong?
In this case, while the commissioner commented that the school division should have pursued confirmation that the data was purged, she found the division “made reasonable efforts to notify affected individuals of this privacy breach in a timely and best practices fashion.”
She found the “root cause” of the privacy breach was the lack of employing multifactor authentication — a security process that requires additional steps beyond the input of a password to login to an account. Had such a process been in place it could’ve prevented the breach, Hession David wrote.
She recommended that the school division’s future contracts require this.
A second root cause was PowerSchool’s failure to purge the data, she wrote, noting the company acknowledged the “decommissioning” process had taken too long.
The commissioner also took issue with the wording of the contract between the software company and the school division, noting it did not comply with the requirements of provincial privacy legislation. She recommended the division ensure its current and future contracts meet those requirements.
The report states the school division conceded it failed to audit the software company’s practices, despite a contract provision allowing it to do so. Hession David wrote that going forward, the school division should audit its service providers for contract compliance and to ensure contracts are in keeping with provincial law.
She further offered a warning about what she called an “overcollection” of personal information of students, including Social Insurance Numbers (SIN) and Health Services Numbers (HSN).
The loss of such information leaves the victims open to fraud, the SIPC report states.
“There is no need for a school to collect SINs and HSNs from its students,” Hession David wrote.
She recommended the division cease “overcollection” of personal information. Further she recommended student HSN and SIN information be purged from the records of PSSD and its service providers.
She also recommended the school division urge affected parties to monitor their credit reports and scores.
Hession David wrote: “the data may very well have been sold to criminals on the Dark Web who may use it at any time in the future.”
She commended the division for efforts to engage current service providers about their data destruction processes and wrote Prairie Spirit is taking reasonable steps to prevent a similar breach in the future.
Words of warning
Just because a public body has a contract with an information management service provider (IMSP), it “does not mean that the original collector of the information is relieved of all responsibility for the integrity of the data,” the commissioner wrote.
“The need to manage and protect the data is always under the control of a public body even when a contract with a IMSP has been engaged.”
Public bodies must understand the application of the law, be prepared to audit service providers and, in the event of non-compliance, be prepared to seek compliance through legal means, she wrote.
The Regina Leader-Post has created an Afternoon Headlines newsletter that can be delivered daily to your inbox so you are up to date with the most vital news of the day. Click here to subscribe.
With some online platforms blocking access to the journalism upon which you depend, our website is your destination for up-to-the-minute news, so make sure to bookmark leaderpost.com and sign up for our newsletters so we can keep you informed. Click here to subscribe.
Postmedia is committed to maintaining a lively but civil forum for discussion. Please keep comments relevant and respectful. Comments may take up to an hour to appear on the site. You will receive an email if there is a reply to your comment, an update to a thread you follow or if a user you follow comments. Visit our Community Guidelines for more information.