Investigation into wide-spread school cyberattack finds failed security provisions

By MEDICINE HAT NEWS on November 19, 2025.

newsdesk@medicinehatnews.com

Two provincial commissioners have released findings into a wide-scale cyberattack which breached a third-party cloud platform called PowerSchool, used by the Medicine Hat Public School Division and Medicine Hat Catholic Board of Education at the beginning of 2025.

On Tuesday, the Alberta and Ontario privacy commissioners, who issued separate investigations under a co-ordinated memorandum of understanding and information-sharing, have both found common key findings that some or all of the affected school divisions failed to include certain privacy and security-related provisions in their agreements with PowerSchool.

On Jan. 9, both local school authorities reported their facilities were impacted by the cyberattack, and student and staff data from 2010 and onward had been compromised.

Medicine Hat divisions were among hundreds of school authorities across Canada and the U.S. affected by the cyberattack.

Student data accessed includes demographic information such as names, date of birth, home phone numbers and mail addresses. Guardian details such as first name, last name, email, address, contact alerts and custody orders were also breached.

The cyberattack also collected Alberta Student Numbers. School divisions do not collect Social Insurance Numbers as part of student records.

Both investigations reveal some or all school divisions lacked policies and procedures to effectively monitor and oversee PowerSchool’s technical and security safeguard, and failed to limit remote access for support and technical personnel to address issues.

Both the Alberta and Ontario commissioners say governments need to support school divisions when negotiating agreements with third-party “edtech” service providers to ensure educational bodies meet their privacy law requirements and provide technical guidance.

“The investigation reports from my office and of my counterpart in Ontario establish beyond a doubt that the risks to privacy caused by the PowerSchool breach were significant for both students as well as the adults affected,” said Diane McLeod, information and privacy commissioner of Alberta. “It is essential to remember that privacy does not happen on its own. It requires a concerted effort by public bodies to create and implement policies and procedures that ensure privacy is protected.”

Both investigations also suggest local school authorities review and renegotiate agreements with PowerSchools to include recommended privacy and security-related provisions.

Schools authorities are also recommended to implement effective monitoring and oversight using PowerSchool’s technical and security safeguards, and ensure they comply with provincial privacy law, as well as leading industry standards.

“There is no way around this. It simply must be done,” added McLeod.

Following the breach early this year PowerSchool provided free protection and credit-monitoring services for the large number of Hatters whose student data was accessed.

Since the cyberattack, PowerSchool has reported it has strengthened its password policies and controls and is working with cybersecurity companies to investigate any potential misuse of data.

16
-15