An online security breach last week exposed the names, addresses, and phone numbers of thousands of St. Albert-area students to hackers.
The St. Albert Public, Greater St. Albert Catholic, Sturgeon Public, and Conseil scolaire Centre-Nord school boards sent notices to parents Jan. 8-9 about a data breach of PowerSchool — an online service used by schools across North America to process fees and distribute information about grades and attendance.
In a letter sent to GSACRD, PowerSchool CEO Hardeep Gulati said that PowerSchool learned of a potential security breach on Dec. 28, 2024, related to its PowerSource customer support website. Investigators later confirmed that someone had used compromised credentials to access data contained in the PowerSchool Student Information System. The company has since informed law enforcement, deactivated the compromised credentials, restricted access to PowerSource, and reset all PowerSource passwords.
“Importantly the incident is contained and we have no evidence of malware [or] continued unauthorized activity in the PowerSchool environment,” the letter reads.
In an email, St. Albert Public spokesperson Laryssa Szmihelsky said that the breach likely happened on Dec. 22, 2024, based on when the data involved was taken. It affected school boards across North America.
“As a customer of PowerSchool, our division’s student and staff information, as well as stored data from past students and staff dating back to 2012, as among the data compromised,” Szmihelsky said.
Thousands affected
Szmihelsky said St. Albert Public has used PowerSchool to manage student and staff records since 2015, and has records in it dating to 2009. The hack affected a specific “table” in PowerSchool that included demographic information, the exact nature of which varies from board to board.
In St. Albert Public’s case, the breach exposed the names, birth dates, phone numbers, and addresses of students dating back to 2012, and the names and school email addresses for staff in that same period. Szmihelsky said. About 173 staff phone numbers were also exposed. Passwords, profile pictures, financial information, and social insurance numbers were not affected.
The breach affected similar data related to GSACRD students, in addition to Alberta Student Numbers and basic medical alert information (e.g. allergies), GSACRD officials said in a letter to parents.
While the extent of the breach was still under investigation, the breach had at minimum revealed the names and grades of current Sturgeon Public students and possibly some teachers, Sturgeon Public director of technology Robert Litchfield said.
In an email, PowerSchool spokesperson Melissa Wenzel said the company was still determining how this breach affected each of its customers.
“We have determined that for a portion of individuals, some personally identifiable information (PII), such as social security numbers (SSN) and medical information, was impacted. We are working with urgency to complete our investigation.”
PowerSchool officials have told St. Albert Public that this data breach was not a ransomware attack, Szmihelsky continued. The company brought in a third-party cybersecurity advisor and negotiator and received “reasonable assurances” from the culprit that the compromised data had been deleted and that no additional copies existed. The company believed the data would not be shared or made public.
Szmihelsky said St. Albert Public was in touch with current school families about the breach and working to reach past ones.
All GSACRD students were required to reset their school passwords in light of the PowerSchool breach.
Big data breaches such as this one are relatively common, with many companies simply paying a ransom to hackers and not reporting them, said Euijin Choo, an assistant professor of cybersecurity at the University of Alberta. The data exposed in the PowerSchool breach (should any of it get into criminal hands) could be used to get other information or commit fraud, especially if it contained passwords used on multiple sites.
In an email, Centre-Nord spokesperson Laura Devaney said PowerSchool did not expect this breach to lead to any misuse of personal information or financial harm. She said the company has their Centre-Nord families credit monitoring and identity protection services if they were affected by the breach. Szmihelsky said St. Albert Public had yet to hear if their families would receive similar protections.
Szmihelsky said St. Albert Public’s tech department was now reviewing the security of its computer systems. She advised parents and students to monitor their email and social media accounts for unusual activity, update their passwords regularly, and to use two-factor authentication where available to protect themselves.
Students and families should check their local school board websites for updates on the breach.
