PowerSchool update: 15 years of data accessed in hack

If you were a student or staff member with Brant Haldimand Norfolk Catholic District School Board in the last decade and a half, hackers may have accessed your address, phone number and social insurance number (SIN).

Last month, the board notified parents it was part of a widespread data breach affecting dozens of school boards across Canada and the U.S. who use PowerSchool, a third-party platform that manages a range of student and staff details, like personal contact information, marks and class schedules.

At that time, the board said it was waiting on investigation results before sharing specific details.

On Monday, it revealed the breach involved student and staff records going back to Sept. 1, 2009.

The compromised information included: students’ names, addresses, birthdates, phone numbers, guardian and emergency contact names and numbers, OENs (Ontario Education Number) and medical conditions, according to a letter the board sent to staff and students on Feb. 3.

Board employees with PowerSchool accounts may have had their names, addresses, employee numbers, and — in “less than 135” instances — SIN numbers accessed.

Current students and teachers that have been affected have received “direct notification” of the breach, but the board is relying on “indirect communication” for former students, a spokesperson told The Spectator.

Banking and credit-card information, personal phone numbers of staff, student grades and individual education plans were not compromised, the board said.

 

Why would a hacker want this information?

If someone is trying to “phish someone” or get into their email account, these details could be useful, according to Gareth Mott, a research fellow at the Royal United Services Institute (RUSI) for defence and security studies.

But, it’s not “massively sensitive” information, because many people already have their basic details somewhere online, he said.

But, as an example, cybercriminals could leverage this information — for instance by cold-calling parents — to put more pressure on victim organizations to pay a ransom, Mott said.

 

What happened to the accessed data?

PowerSchool “received confirmation” that the hacker deleted the data and it wasn’t posted anywhere online, according to the board’s website.

However, Mott cautioned there isn’t really a conclusive way to confirm this, so it means “relying on the word of the criminal.”

He pointed to a massive takedown by law enforcement of ransomware-as-a-service provider LockBit, last year.

“One of the things that they found was that the LockBit operators weren’t deleting the data when they said they were going to,” he said.

Instead, they collected the ransom and, while they didn’t release the data, in many cases they kept it, possibly to use to go back to the victim organization for future extortion, he said.

 

What can you do if your information was impacted? 

The board said it “continues to take this incident very seriously” and is working with PowerSchool to “ensure an incident like this does not happen again in the future.”

It plans to continue using PowerSchool at this time, but is working with “industry experts” to review data-retention practices and how it protects personal information.

Courtesy of PowerSchool, current and past students and staff have until May 30 to sign up for two years of identity protection services with Experian, and credit monitoring services through TransUnion, according to the board’s website.

This is a common practice in cybersecurity incidents. For folks who are feeling nervous about their data, it could also be reassuring to speak with an independent third party to get a better understanding of where the data is, what the risk exposure is, or whether their credit score has been or will be impacted, Mott said.

For more information, or to sign up for identity protection or credit monitoring services, visit 1.bhncdsb.ca/powerschool-cyber-incident.

 

Celeste Percy-Beauregard’s reporting is funded by the Canadian government through its Local Journalism Initiative. The funding allows her to report on stories about Brant County. Reach her at cpercybeauregard@torstar.ca.

Feature image by iStock.com/Moor Studio