Latest news with #PhilippeDufresne
Global News
22-07-2025
- Global News
Federal probe into massive PowerSchool data breach is being discontinued
Canada's privacy commissioner said Tuesday that he has discontinued his investigation into the PowerSchool data breach after the education software company agreed to take measures to improve its cybersecurity. The December 2024 hack accessed the personal data — including medical information and social security numbers — of millions of current and former students and thousands of staff across Canada. The office of privacy commissioner Philippe Dufresne (OPC) said in a news release that PowerSchool 'took measures to contain the breach, notify affected individuals and organizations and offer credit protection, and has voluntarily committed to additional actions to support its security safeguards.' Those actions include 'strengthened monitoring and detection tools,' the OPC release said. 'In light of the actions that PowerSchool has already implemented, and those that it will implement over the coming months, Privacy Commissioner of Canada Philippe Dufresne has decided to discontinue the investigation that he launched in February but will be monitoring to ensure that all of PowerSchool's commitments are fully met,' it continued. Story continues below advertisement 'I welcome PowerSchool's willingness to engage with my Office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada,' Dufresne said in a statement. 'Federal privacy law requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information. This is particularly important when dealing with children's personal information.' 2:08 Calgary law firm files lawsuit over massive PowerSchool data breach Dufresne's investigation began more than a month after the company began to notify PowerSchool users about the data breach, which impacted school boards across most of North America and other countries that PowerSchool serves. Get daily National news Get the day's top news, political, economic, and current affairs headlines, delivered to your inbox once a day. Sign up for daily National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy Global News contacted every school board across the country early this year to determine how many were impacted. Of those that responded, at least 87 were affected. Data from those that provided numbers showed that more than 2.77 million current and former students were confirmed to have been affected. In addition, 35,951 staff members, including teachers, were confirmed impacted, with one Nova Scotia school board advising that 3,500 parents' data was also accessed. Story continues below advertisement Some Canadian school boards informed families in May that they had received new ransom demands involving the stolen data. A Massachusetts college student, 19-year-old Matthew Lane, agreed in May to plead guilty to criminal charges related to the data breach, including cyber extortion, according to U.S. prosecutors. Sources close to the investigation told The Associated Press and Reuters that PowerSchool was the company identified as 'Victim 1' in the criminal complaint. 0:38 Teen charged in mass school data breach tied to PowerSchool What did PowerSchool agree to? According to a letter of commitment with the OPC signed last week and released Tuesday, PowerSchool has until the end of July to provide any additional information related to the data breach to the commissioner, and to confirm if it plans to implement any additional authentication process in its affected PowerSource platform. Story continues below advertisement The company will need to provide evidence by the end of this year that it has strengthened its monitoring and detection tools, that those tools can 'identify patterns of irregular activity,' and that it has thoroughly reviewed and readjusted its system access privileges for both security and operational needs. By March 2026, PowerSchool will need to show that it has obtained recertification of the global information security standard known as ISO/IEC 27001. It must also provide an independent, third-party security assessment and report to the OPC on PowerSchool's updated safeguards to protect personal information, prevent and respond to potential breaches, and other cybersecurity measures. If the report includes recommendations for PowerSchool to implement, the company must show the OPC whether it has accepted them and provide an implementation plan and timelines, or provide reasons why it has not accepted them. The commissioner will have to review and approve those submissions. PowerSchool also agreed to continue supporting affected clients and carry out its regular reporting and notification obligations under federal and provincial privacy laws. The OPC letter said PowerSchool's commitments are 'a fair and reasonable response to the complaint' that sparked Dufresne's investigation in February. Global News has asked the office of the Information and Privacy Commissioner of Ontario if its investigation into the PowerSchool data breach remains ongoing. Story continues below advertisement 'We take the privacy and security of student, educator, and family data extremely seriously,' a PowerSchool spokesperson told Global News in an emailed statement responding to the OPC's announcement. 'Following the 2024 security incident, we worked closely with the Office of the Privacy Commissioner of Canada to respond swiftly, transparently, and responsibly. We're grateful for the Commissioner's collaboration in helping us strengthen our safeguards even further. PowerSchool remains fully committed to making continual investments in our security infrastructure and the ongoing support of our education partners across Canada.' — with files from Global's Sean Previl
CBC
22-07-2025
- CBC
Federal privacy watchdog discontinuing investigation into student data breach
The federal privacy watchdog says it has discontinued the investigation into a cybersecurity breach involving a student information system used across Canada, citing its satisfaction with the company's response and commitment to added security measures. Privacy Commissioner Philippe Dufresne says the probe was launched in February after his office received a breach report from U.S.-based PowerSchool, which provides the affected software, and a complaint about the incident. The commissioner's office says a hacker had obtained data such as names, contact information, birth dates and, in some cases, medical information and Social Insurance Numbers of current and former students, current and former educators, and parents across several provinces and territories. It says PowerSchool took measures to contain the breach, notified affected individuals and organizations and offered credit protection, and has voluntarily committed to additional actions including strengthened monitoring and detection tools. The commissioner's office says those steps have prompted Dufresne to discontinue the investigation into the breach, but the office will monitor PowerSchool's commitment to its strengthened security measures. It says the decision to stop its probe won't impact ongoing investigations into the breach by provincial privacy watchdogs in Ontario and Alberta. "I welcome PowerSchool's willingness to engage with my office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada," Dufresne said in a news release Tuesday. The Toronto District School Board, the largest school board in Canada, said in a letter to parents and caregivers in May that it had recently learned data stolen in December 2024 was not destroyed and that a "threat actor" had demanded ransom. PowerSchool had said it paid the ransom in hopes of preventing public release of the stolen data. "We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve," it said in a statement in May. PowerSchool said in a letter to the commissioner Tuesday that it will confirm any further forensic and authentication steps it will take by the end of this month, and the company will provide evidence that it has strengthened its security monitoring tools by the end of this year. It said PowerSchool will provide the commissioner with an independent security assessment and report of its information safeguards by March 2026.
CTV News
18-06-2025
- Politics
- CTV News
Lack of appropriate safeguards led to 23andMe data breach, joint investigation finds
Federal privacy commissioner Philippe Dufresne, left, and U.K. information commissioner John Edwards hold a press conference at the National Press Theatre in Ottawa on Tuesday, June 17, 2025. THE CANADIAN PRESS/Sean Kilpatrick
CTV News
17-06-2025
- Business
- CTV News
Genetic testing firm 23andMe faces large fine for failing to protect customer data
Privacy Commissioner of Canada Philippe Dufresne leaves after a news conference at the National Press Theatre in Ottawa on Thursday, Feb. 29, 2024. (THE CANADIAN PRESS/Justin Tang) Genetic testing company 23andMe failed to take basic steps to protect customer data, according to a joint investigation by Canada and the U.K. into a massive global data breach that resulted in information from nearly seven million people being posted for sale online. As a result, the U.K. is imposing a £2.31 million (C$4.24 million) fine on the company. Canada does not have the power to impose a similar penalty under current privacy laws. Canada's privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards revealed their findings at a news conference in Ottawa on Tuesday morning. 'With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,' Dufresne said on Tuesday. 'Our investigation found that these types of security measures were not in place at 23andMe.' In September, 23andMe agreed to pay US$30 million to settle a lawsuit after hackers accessed the personal data of 6.9 million customers and posted their information for sale on the dark web, including data from nearly 320,000 people in Canada and more than 150,000 people in the U.K. The 2023 attack appeared to specifically target customers with Chinese and Ashkenazi Jewish ancestry. 'The compromised data included highly sensitive information related to health, race and ethnicity information as well as information about relatives, date of birth, sex at birth and gender,' Dufresne explained. 'Much of this information was derived from individuals' DNA. The breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyber threats.' The joint investigation by privacy authorities in Canada and the U.K. was launched in June 2024 to examine the scope of the breach and 23andMe's response. 'In the wrong hands, an individual's genetic information could be misused for surveillance or discrimination,' Dufresne said in a news release when the investigation was announced. 'Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.' 23andMe filed for bankruptcy in March. On June 13, it was announced that a non-profit led by 23andMe co-founder Anne Wojcicki would purchase the troubled company for US$305 million. Founded in 2006, 23andMe claims to have more than 15 million customers worldwide. The business was centred on at-home DNA testing kits that use saliva samples to provide genetic insights about health risks and ancestry. The California-based company went public in 2021, but never made a profit. '23AndMe failed to take basic steps to protect people's information,' Edwards said at the press conference on Tuesday. 'Their security systems were inadequate, the warning signs were there and the company was slow to respond. This left people's most sensitive personal data vulnerable to exploitation and harm.' The investigation also found that 23andMe did not adequately notify regulators and affected customers of the breach as required by Canadian and U.K. laws. Dufresne said they were concerned to find the stolen data was later offered for sale online. 'Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information,' Dufresne said. 'Organizations must also take proactive steps to protect against cyberattacks. This includes using multi-factor authentication, strong minimum password requirements, compromised password checks, and adequate monitoring to detect abnormal activity.' Dufresne also called for modernized privacy laws in Canada that would allow him to issue fines and orders like his counterpart in the U.K. 'This is something that exists broadly around the world in privacy authorities and it is something that is necessary,' Dufresne said. 'You can see in a case like this in terms of cybersecurity, in terms of things where time is of the essence, where there are real consequence, this is a gap.' In a statement to CTV News, a 23andMe spokesperson said by the end of 2024 the company 'had implemented multiple steps to increase security to protect individual accounts and information.' 23andMe's new owner, they added, has 'made several binding commitments to enhance protections for customer data and privacy,' including allowing users to delete their accounts and opt out of having their information used for research. 23andMe saliva collection kit A 23andMe saliva collection kit is shown on March 25, 2025, in Oakland, Calif. (AP Photo/Barbara Ortutay) With files from Reuters and CNN
Toronto Star
17-06-2025
- Business
- Toronto Star
Lack of appropriate safeguards led to 23andMe data breach, joint investigation finds
OTTAWA - Canada's privacy watchdog says inadequate security measures opened the door to a data breach discovered two years ago at genetic testing company 23andMe. Privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards released the findings from their joint investigation of the breach, which affected almost seven million people, including nearly 320,000 in Canada. Dufresne told a news conference today the breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyberthreats. ARTICLE CONTINUES BELOW He says strong protection must be a priority for organizations, especially those holding sensitive personal information. 23andMe, which filed for bankruptcy in March, sells testing kits that use a customer's saliva sample to uncover genetic information through DNA analysis, including details about health, ancestry and biological relationships. Dufresne and Edwards announced last May they would look into the data breach's scope, the company's data handling safeguards and whether it adequately notified regulators and affected individuals about the lapse. This report by The Canadian Press was first published June 17, 2025. Politics Headlines Newsletter Get the latest news and unmatched insights in your inbox every evening Error! Sorry, there was an error processing your request. There was a problem with the recaptcha. Please try again. Please enter a valid email address. Sign Up Yes, I'd also like to receive customized content suggestions and promotional messages from the Star. You may unsubscribe at any time. By signing up, you agree to our terms of use and privacy policy. This site is protected by reCAPTCHA and the Google privacy policy and terms of service apply. Politics Headlines Newsletter You're signed up! You'll start getting Politics Headlines in your inbox soon. Want more of the latest from us? Sign up for more at our newsletter page.
