More than 2.4 million students in Canada have been impacted by the PowerSchool data breach, and that number is likely to grow as more information is made available by school boards.
The increase comes just a day after Global News reported 1.49 million students were impacted at the Toronto District School Board, with Peel District School Board confirming by email how many of its students and staff were also affected.
“Peel District School Board (PDSB) has identified that 943,082 students and 18,760 staff members were impacted,” spokesperson Michelle Green wrote. “The staff number is lower because some individuals are assigned to multiple schools, causing their information to appear several times in the impacted data.”
Durham District School Board also informed Global News that 284,000 records had been impacted, though a breakdown of students and staff was not provided.
On Wednesday, Global News reached out to several school boards identified in a report by the online news site BleepingComputer, which had obtained information that appeared to show the scope of the data breach.
Global News has not independently confirmed the numbers reported by the news site, which allege the data of more than 62 million students and 9.5 million teachers across North America were impacted.
However, the numbers provided by TDSB are approximately the same number listed in the report as students impacted, while the data provided by Peel match the reporting for students affected.
School districts in at least six provinces have been impacted by the data breach.
Global News has confirmed that Nunavut schools have not been impacted.
The Calgary Board of Education told Global News it did not have confirmation from the company about the number of students or staff impacted, or the details of data taken, though they confirmed no social insurance numbers (SINs) were accessed.
“There’s no question that when you start talking about our kids, we all have a much heightened sensibility,” said Sandy Boucher, principal at Doane Grant Thornton, and leader of its cybersecurity incident breach response practice.
Boucher said while students may not have to worry about credit card information or bank accounts accessed, the data that has been accessed could come into play for social engineering use, such as signing up for a credit card or cell phone account.
“If you’ve got like a credit application and they need the SIN and you don’t have the SIN, well then you’re going to be stuck,” Boucher said. “There are ways in which data without a SIN can still be very damaging.”
Canada’s privacy commissioner says he is in communication with PowerSchool and Ontario’s privacy commissioner is investigating the breach.
But while the inquiries are ongoing, technology analyst Carmi Levy says public-facing institutions like school boards, health-care networks and others continue to be “increasingly targeted.”
Though Canadians may think their data is not valuable, a data breach that accesses even some personal information like an address and phone number could still impact them.
He said hackers can sell it on the dark web or use it to craft targeted identity theft and/or financial attacks “using highly detailed spearphishing messages designed to look incredibly legit.”
“Once the information is out there, there’s nothing that anybody can do to get it back in. It’s already been compromised, criminals have access to it. They will use it in ways that they wish,” Levy said. “We can, however, take steps to reduce our exposure to future events like this.
How to protect yourself
The first step to protect yourself, Levy said, is to take up the offers of credit monitoring because it will allow you to see what information is being used against you.
In addition, keep an eye on your incoming emails, text messages and social media platforms.
If you’ve been compromised, you may start receiving messages from the criminals who may try to appear as a legitimate source like a bank or school.
“Treat everything that hits your inboxes with suspicion,” Levy said, noting it’s not just people who have been compromised who should do this. “Don’t click on links when they show up, instead, bail out of the message, load up a website, call them directly but do not use these messages as a point of contact.”
Boucher and Levy said there are also some simple things you can do right now to protect yourself:
- Talk with your kids about what to keep an eye out for, such as suspicious emails, but also to find out what advice they are aware of to protect themselves
- Change your password and make it something complex that’s eight to 12 digits long and something that wouldn’t be guessed
- Turn on two-factor or multi-factor authentication on systems that provide it to provide extra security
- Keep an eye on your bank accounts for small transactions, as hackers will use these minor amounts to test if they have access
- Call your bank and credit bureau if you’re worried and ask if they can see if any new applications on your file
- Don’t throw away personal information and if you do decide to dispose of it, shred paper information, wipe hard drives that you’re getting rid of
“We’ve all got to become more conscious about the risks of data leaking out,” Boucher said.
Both Boucher and Levy agree that with the scope of what has occurred, they would not be surprised if lawsuits begin to be launched given the amount of information that was accessed.
“What separates this from other events is its scale, that it hits millions of Canadian students across the country no matter what kind of school or school board they might be a part of,” Levy said.
“The sheer scale and scope of this, I think, is going to attract a lot of attention.”