ARTICLE
2 December 2025

Lessons Learned From The PowerSchool Breach

ML
McMillan LLP

Contributor

McMillan LLP logo
McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa and Montréal. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
Explore Firm Details
Lexpert Firm Profile
A recent data breach gave millions of students, parents, and educators an unscheduled lesson in cybersecurity.
Canada Privacy
Robbie Grant
Your Author LinkedIn Connections
Robbie Grant’s articles from McMillan LLP are most popular:
  • with Finance and Tax Executives and Inhouse Counsel
  • with readers working within the Advertising & Public Relations, Insurance and Oil & Gas industries

A recent data breach gave millions of students, parents, and educators an unscheduled lesson in cybersecurity.

In December 2024, PowerSchool Canada ULC ("PowerSchool") suffered a major data breach across its systems. PowerSchool is an educational technology (edtech) company that provides student information systems ("SIS") to school boards and ministries to help them manage students and staff.

The Information and Privacy Commissioners of Ontario and Alberta (collectively, the "Commissioners") investigated the incident under their respective public-sector privacy laws.1 While these laws do not apply directly to PowerSchool, they govern how institutions (which include educational bodies) handle personal information, including when that data is being processed by service providers.

This bulletin explains the key findings of the PowerSchool investigations and offers practical lessons for public-sector institutions on how to manage vendors and protect data. Many of these lessons, especially those regarding data security and vendor management, extend beyond the public sector and apply to any company that handles or stores sensitive personal information.

Background

In December 2024, an attacker used stolen credentials from a PowerSchool subcontractor to get into PowerSchool's support portal (called 'PowerSource') and then into multiple SIS environments. Each customer operated its own SIS environment, but the support portal allowed PowerSchool to remotely access those environments for remote maintenance and troubleshooting. At the time of the attack, many institutions' remote support settings were configured to "always on," which allowed the attacker to freely gain access to their SIS using a PowerSchool contractor's credentials.

The attacker stole data belonging to millions across Canada, including about 3.86 million Ontarians and more than 700,000 Albertans. The data included sensitive information about current and former students, parents and guardians, and educators.

PowerSchool made a ransom payment in early 2025, stating publicly that it believed this action was in the best interests of its customers and students. Months later, there was another extortion attempt targeting two Ontario school boards, threatening the release of the same data stolen in December. This serves as a stark reminder that ransom payments provide no guarantee that threat actors will honour their commitments. Meanwhile, these payments continue to fund and incentivize cybercriminal activities.

Key Findings

The Commissioners' reports focused primarily on the privacy practices of institutions (school boards and ministries) subject to public-sector privacy laws. In order to identify and evaluate the gaps in compliance for these institutions, the Commissioners made findings about PowerSchool as well.

Notable Findings about PowerSchool:

  • No multi-factor authentication for PowerSource contractor. Privileged users could reach SIS environments through PowerSource using single‑factor authentication, which fell below established industry standards for cloud and remote access. Furthermore, PowerSchool did not maintain sufficiently strict password requirements for single‑factor authentication.
  • Persistent remote maintenance access. The "always on" setting for remote access maintenance enabled the attacker to move from PowerSource into customer SIS. While PowerSchool advised that remote support was disabled by default, Alberta's Information and Privacy Commissioner concluded that "always on" remote support was likely the default setting, based on feedback received from institutions.
  • Key systems excluded from assurance testing. While PowerSchool conducted SOC 2 Type II audits and penetration testing, PowerSource was outside the scope of these tests, despite it providing a clear access point to customer SIS environments.

Notable Findings about the Institutions:

  • Outdated or incomplete agreements. Many contracts dated back years and lacked important provisions or meaningful enforcement tools. For example, many agreements lacked provisions related to subcontracting, security, breach notice timelines, audits, or governing law.
  • Weak oversight and monitoring. Institutions often relied on public claims or certifications without obtaining audit reports or vulnerability assessments, and many could not enforce access to those documents despite contractual rights.
  • Excess and unauthorized data. Some institutions collected health card numbers and SINs without a clear need for this information. Others kept data for decades (in some cases up to 60 years) which magnified the impact of the breach.
  • Remote maintenance left on. Many institutions enabled persistent remote support access, which the attacker exploited. Those institutions whose remote support settings were not set to "always on" were not impacted by the breach.

Cybersecurity Lessons for All Organizations

We have identified five key takeaways from the PowerSchool investigations, for organizations wishing to better safeguard their data.

  1. Security basics matter. Multi-factor authentication, strong passwords, limited remote access, and adequate logging are essential controls that must be verified and enforced when sensitive personal information is involved.
  2. Contracts must have teeth. Vendor agreements should include specific security requirements, audit rights, and meaningful consequences for non-compliance.
  3. Oversight is not optional. Organizations must actively monitor vendors and demand evidence of security controls, especially for vendors with access to large volumes of sensitive personal information. A regulator will not absolve organizations with unequal bargaining power.
  4. On-premises storage can still have weaknesses. Rather than relying on PowerSchool to host their SIS, many institutions opted for local storage, which is often seen as a more protective data security measure. However, this did not protect institutions with "always on" remote access.
  5. Less data means less risk. Minimizing collection and purging unnecessary data reduces breach impact. Here, a proper data retention schedule could have reduced the impact of the breach dramatically for some institutions.

Conclusion

The PowerSchool incident underscores that data protection is a shared responsibility requiring vigilance at every level. Organizations entrusting sensitive personal information to third-party vendors cannot delegate accountability along with access. Whether operating in the public or private sector, institutions must implement robust vendor management frameworks that include rigorous due diligence, enforceable contractual protections, active oversight, and regular security audits. By applying the lessons from this breach, organizations can better protect the individuals whose information they hold.

The stakes are particularly high when children's data is involved. Privacy regulators continue to prioritize children's privacy. Recently, Canada's federal, provincial, and territorial privacy regulators issued a joint resolution on edtech, which underscores many of the points outlined in the PowerSchool investigations. The Office of the Privacy Commissioner of Canada and Ontario's Information and Privacy Commissioner also recently joined over 30 privacy authorities in the Global Privacy Enforcement Network sweep, which examined the privacy practices of websites and mobile applications commonly used by children.2

McMillan is available to assist in developing policies and procedures for compliance with privacy laws across Canada, and across sectors.

Portions of this bulletin were drafted using generative AI tools, with all content reviewed and verified by our authors.

Footnotes

1. Office of the Information and Privacy Commissioner of Alberta, Investigation Report Regarding PowerSchool Breach, F2025-IR-02 (17 November 2025); and Information and Privacy Commissioner of Ontario, Privacy Complaint Report (17 November 2025). See Ontario IPC November 18 news release.

2. See news releases from Ontario IPC here, and OPC here.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025

[View Source]
Authors
Photo of Robbie Grant
Robbie Grant
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More