The Office of the Information and Privacy Commissioner (OIPC) of Alberta investigation has officially released their findings after investigating the late 2024 PowerSchool information breach. Earlier this year, the organization told the CBE they’ve done enough to manage the leak.
Since the December 2024 breach, the Calgary Board of Education (CBE) has received a handful of updates from PowerSchool. Most recently, the board learned that threat actors were attempting to extort school boards using the breached data back in May, before being paid a ransom by PowerSchool directly.
Upon questions at the time, the CBE did not clarify if they’d paid ransom outside of the PowerSchool payment or had been contacted directly by the threat actor. They did say they did not contribute to the paid PowerSchool ransom.
That same month, the CBE was also informed of the OIPC of Alberta investigation into the data breach.
Three months later, in August 2025, the OIPC notified the CBE of its determination that the CBE had taken reasonable steps to manage the breach, including providing notification to affected individuals.
The original breach was said to include information of students and staff who had been a part of the system at any time since September 2018. Information that may have been accessed and acquired by hackers included full names, home addresses, phone numbers, birthdays, grades, gender and medical information such as allergies, medications and medical conditions, among others.
In a CBE-issued statement, the board said that information was provided to CBE families and staff about how they could apply for identity monitoring and credit protection services offered by PowerSchool.
“Individuals were able to make their own decision about applying for these services. The CBE was not made aware of how many people applied,” the statement reads.
Some school boards did not have adequate contractual protection ahead of time: OIPC
The OIPC has since released its findings into the breach, finding that some or all affected educational bodies, potentially including the CBE, failed to include certain privacy and security-related provisions in their contractual agreements with PowerSchool.
The report states that some bodies lacked policies and procedures to effectively monitor and oversee PowerSchool’s technical and security safeguards to ensure the company complied with its contractual terms and conditions, failed to limit remote access to student information systems by PowerSchool support personnel and lacked adequate breach response plans or protocols.
The report then recommends that school boards review, renegotiate agreements with PowerSchool as needed to include the recommended privacy and security-related provisions and limit remote access to their student information systems on an as-needed basis only, among other points.
Prior to the release, the board-issued statement said that the CBE will be taking a closer look at the recommendations put forward in the report to learn from the incident and improve its process where appropriate.
“The protection of student and staff data is important to us and we are taking the learnings from this security breach seriously,” the statement reads.
