ID 103315565 © Pop Nukoonrat | Dreamstime.com

By rdnewsNOW staff

Ongoing Investigations

Information and Privacy Commissioner comments on emerging developments regarding PowerSchool cybersecurity incident

May 22, 2025 | 3:02 PM

The Office of the Information and Privacy Commissioner (OIPC) of Alberta has become aware of new developments in regard to the PowerSchool cybersecurity incident in December 2024 that affected many educational institutions in Alberta.

Officials with the OIPC were contacted by PowerSchool earlier this month regarding these new developments. PowerSchool notified the OIPC that it has become aware that a threat actor has reached out to multiple educational institutions in Alberta in an attempt to extort them using data from the December incident. The OIPC says PowerSchool has also posted new information on its website.

“Our office has launched a number of investigations as a result of the PowerSchool incident,” said Information and Privacy Commissioner Diane McLeod. “This work is ongoing and we will take this new information into consideration throughout our investigative work. The violation of children’s privacy is a significant concern for us, and we are working on a number of fronts to protect children from harms associated with the use of technologies, including educational technologies, as stated in our 2025-2028 Business Plan. These investigations are now a part of that work.”

The OIPC issued a news release regarding the PowerSchool cybersecurity incident approximately three months ago, on Feb. 12. At that time, the office had begun its review of 31 breach notices received from Alberta educational institutions about unauthorized access to personal information of students and staff at those educational institutions, all of which were using the PowerSchool platform.

Since that time, the OIPC says it has launched 41 investigations into school boards and other educational institutions covered as public bodies under the Freedom of Information and Protection of Privacy Act (FOIP Act) and private schools covered as organizations under the Personal Information Protection Act (PIPA), all of whom were clients of the PowerSchool platform and who were affected by the PowerSchool privacy breach in December. Officials say these investigations are looking into whether these educational institutions have met their obligations under the FOIP Act and PIPA, respectively.

Nighttime construction on Hwy 3 in Lethbridge starts April 17

Apr 17, 2025

SASHA launches #BuyABed fundraiser to support vulnerable Lethbridge residents

Apr 04, 2025

$20K grants available: TELUS STORYHIVE Pan-Asian Edition opens applications April 1

Mar 18, 2025

The OIPC says it is coordinating aspects of its investigations with its counterparts in other parts of Canada, i.e. the Information and Privacy Commissioner of Ontario and the Office of the Privacy Commissioner of Canada.

“While the new information appears to indicate that hackers are targeting educational institutions for extortion, it is not uncommon for hackers to target individuals whose personal information was compromised during an incident,” said McLeod. “To this end, we advise Albertans to be vigilant in regard to potential phishing attacks by hackers who may use personal information from the PowerSchool incident.”

People should avoid actions such as:

• clicking on unsolicited links or attachments;
• scanning unsolicited QR codes; and
• responding to unsolicited text messages.

Officials say the public should be especially vigilant if these links, attachments, QR codes or messages relate to PowerSchool.

The OIPC website has helpful information for the public about phishing and cybersecurity.

Members of the public who want more information about how to protect themselves from incidents such as this one may also check online resources such as the Canadian Anti-Fraud Centre website.

Through the OIPC, the Information and Privacy Commissioner performs the responsibilities set out in Alberta’s three access to information and privacy laws, the Freedom of Information and Protection of Privacy Act, the Health Information Act, and the Personal Information Protection Act. The Commissioner operates independently of government.

For local news delivered daily to your email inbox, subscribe for free to the Lethbridge News Now newsletter here. You can also download the Lethbridge News Now mobile app in the Google Play and the Apple App Stores.