As of January 9, parents and caregivers with students attending schools in Niverville and Ritchot have been notified of a cybersecurity breach which affects the personal information of children.
The data breach similarly affects staff at each of the seven public schools in this region. The Hanover School Division (HSD), division scolaire Franco-Manitobaine (DSFM), and Seine River School Division (SRSD) have all posted similarly worded notifications on their respective websites.
All of these divisions, as well as many others across Canada and the United States, use a student information system service provider called PowerSchool. It was PowerSchool’s system that was the target of the cyberattack.
At this stage, reassurances from the affected school divisions indicate that no financial information or photos have been put at risk in the breach. As well, all internal school data collection systems are intact and unaffected.
“To this point, PowerSchool has worked with cybersecurity experts to resolve the situation,” reads a notice on the HSD website. “PowerSchool has deactivated accounts and initiated enhanced processes for passwords and access. PowerSchool has provided us with assurances that the accessed data has now been deleted. Furthermore, PowerSchool has confidence that the data was not copied or uploaded elsewhere. PowerSchool is actively engaged with cybersecurity professionals to continue to monitor this event.”
According to the SRSD website, there is some confidence in the type of information that may be at risk. This includes names, phone numbers, and email addresses for all students and staff.
Staff data extends to include their employee ID and school location ID.
For students, the list is a bit longer. Collected personal information may also include their date of birth, home address, doctor’s name, sibling information, gender, grade level, and parent/guardian names.
The divisions likewise indicate that they were made aware of the breach by PowerSchool administration on January 7. According to the HSD notice, the event occurred in late December.
The Citizen reached out to PowerSchool for explanation.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System [data] through one of our community-focused customer portals, PowerSource,” the company responded through a spokesperson. “PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers. As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.”
At this point, both HSD and DSFM are declining further response until more information becomes available to them.
Wendy Bloomfield, chairperson of the SRSD board of trustees, did respond to The Citizen indicating that she was unaware of any delay in notification from PowerSchool. She currently has no new information to share.
“Please note that our school division does not store sensitive data such as social insurance numbers, banking information, login and password information in PowerSchool, and this data was not involved in the incident,” the SRSD website states. “Additionally, any information related to student specific planning (IEPs, behaviour plans, assessment records, medical information, etc.) was not included in the data export.”
Parents and guardians are asked to stay tuned to their divisional websites, where updates will be posted as they become available.
