The Calgary Board of Education informed families that while no further information has been accessed, some school boards may be subject to extortion around the release of that data.
The CBE sent a note to families on Wednesday morning updating information about the PowerSchool breach late last year.
The update said that PowerSchool paid a ransom to the “threat actors” to ensure deletion of the leaked data.
“As with any such incident, there was a risk that the threat actors would not honour their commitment to delete the stolen data, despite assurances provided to PowerSchool,” the update read.
The update noted they’d been informed by PowerSchool that an unknown party was attempting to extort school boards using the data breached in December 2024, despite already being paid a ransom.
Upon questions, the CBE did not clarify if they’d paid ransom outside of the PowerSchool payment or had been contacted directly by the threat actor. They did say they did not contribute to the paid PowerSchool ransom.
“At this time, PowerSchool has indicated that no new data has been accessed. PowerSchool has told school boards that its system is secure and they continue to actively monitor,” the note said.
This update comes after a Jan. 7 email informed parents of the breach, said to have impacted thousands of students and staff.
At the time of the breach, the board had more than 142,000 students and more than 16,000 employees.
At the time of the breach, the CBE immediately limited third-party access to PowerSchool. Powerschool itself notified law enforcement, locked down its system and changed all passwords.
The original breach was said to include information of students and staff who had been a part of the system at any time since September 2018.
The information leaked could have included first, middle and last names, home address, phone numbers, date of birth, medications, medical conditions, Alberta Health Care number and doctor contact information, among others.
Through their update, the CBE strongly encouraged families to apply for credit monitoring and identity protection, a service that PowerSchool is offering to those directly impacted by the December 2024 breach.
“Staff and students who have reached the age of majority can apply for credit monitoring services,” the update said.
“Any students and staff whose information was involved can apply for two years of complimentary identity protection.”
Details for how to apply can be found on the CBE website.
Parent and guardian information was not impacted by the breach, according to the update. Those individuals do not qualify for the services.
The CBE has taken steps to assess and contain the breach, the update said. Steps include implementing enhanced cybersecurity measures to mitigate against future cyberattacks.
“CBE has retained external experts in cybersecurity and an incident response team has also been established. We have reported this to law enforcement,” the update noted.
The CBE noted that more information is available on their PowerSchool Data Breach Webpage. The board committed to keeping families updated when more details are available.
