The Lakeshore School Division continues to deal with the fallout of a cyber attack and data theft that occurred in late 2024 against California-based company PowerSchool, which provides information-management software that LSD and thousands of other school divisions across the world use.
The breach of PowerSchool occurred in December 2024 and the company alerted its clients in Canada, the U.S. and internationally.
Lakeshore has been keeping its students, parents and staff updated through letters and website postings, and is currently alerting everyone who was part of the division between 1992 and 2024 to visit LSD’s website for details of the data theft as it could impact them.
Donald Nikkel, LSD’s superintendent of HR, policy and alternative program director, was unable to provide the Express with specific information regarding the data breach, including whether the division will continue to use the software and whether it had received a ransom demand from any threat actor as the Toronto District School Board had in May – after PowerSchool said it had paid the hackers a ransom to have the stolen school-division data deleted.
“The PowerSchool breach has impacted a large number of divisions both in the Province of Manitoba, Canada, and beyond. PowerSchool is also a third-party entity and is not owned, operated or controlled by the division, so we are limited in what we can say or comment on their breach,” said Nikkel last week. “Since we were first made aware of the situation, we have been as transparent to our communities as possible and we have posted regular updates on our website.”
PowerSchool is cloud-based software for managing K-12 school data and is used in 90 countries. The company was founded in 1997 and changed hands a number of times, with Apple once having acquired it. PowerSchool Canada opened in 2015.
Information that LSD had acquired from PowerSchool indicated the hackers gained access to PowerSchool’s Student Information System and acquired personal data between about Dec. 19 and Dec. 28, 2024. PowerSchool said it became aware it “experienced a cybersecurity incident” on Dec. 28.
In a May 6 communique to its community, Lakeshore said the following data about its students were accessed: name, date of birth, gender, address, contact information, doctor’s name and phone number, relevant medical information (e.g., allergies), MET number, school ID number, enrolment/registration records, and/or relevant alerts (e.g., related to discipline, guardian, custody, or other issues), and the student’s parent or guardian’s name and contact information.
Staff data that were accessed are name, date of birth, gender, phone number, address, school email address, Professional School Personnel number, and/or school ID number. The social insurance numbers of staff could also have been “potentially involved.”
The division said no banking or credit card information of students and parents/guardians was stored in its PowerSchool software. As well, there was no banking and credit card information of LSD staff stored.
Personal identification is very valuable to hackers. They’ll use it to perpetrate financial fraud or re-sell it on the dark web to other criminals. Pieces of stolen personal data can be combined with other stolen data to build a robust profile of an individual.
Thieves can use stolen data to open fake accounts, make purchases, and file false income tax returns to gain access to funds. They can use SIN numbers, addresses and other personal details to apply for credit-cards, loans, mortgages, passports and driver licenses, or open cellphone and utility accounts in the victim’s name. They’ll also sell personal medical information that can be used to blackmail victims for money, commit identity theft or purchase prescription medication.
The fear of criminals sharing or selling people’s personal data came to the fore on May 7 when the Toronto School Board District said it received a ramson demand connected to the 2024 PowerSchool hack. That came after PowerSchool said it had paid the hackers to delete the stolen data. The Calgary Board of Education and the Peel District School Board (Ontario) also received ransom demands, according to media reports.
PowerSchool is offering victims two years of free identity protection and/or credit monitoring, and reached out to its victims via email with instructions on how they can take up the offer.
In its May 6 communique posted online, Lakeshore told students, parents and educators that PowerSchool is using three different email addresses with information on how to activate the free protection offer. The division said it had contacted PowerSchool and had been “assured” by the company that three email addresses it’s using are “legitimate.”
Visit Lakeshore School Division’s website for more information: www.lakeshoresd.mb.ca
The Evergreen School Division does not use PowerSchool software and was unaffected by the breach, said superintendent and CEO Scott Hill.
