Latest news with #PowerSchool
Global News
3 days ago
- Business
- Global News
PowerSchool ‘not off the hook' for data breach: ex-privacy commissioner
A former federal privacy commissioner says PowerSchool is 'not off the hook' over the massive data breach that affected millions of kids, teachers and parents despite the end of an investigation into the company's cybersecurity practices, noting the improvements PowerSchool has committed to making. Chantal Bernier, who was assistant federal privacy commissioner from 2008 to 2014 and held the role of interim commissioner in 2014, told Global News the agreement announced Tuesday was the most effective way for the Office of the Privacy Commissioner (OPC) to hold PowerSchool accountable, given the deadlines the company now has to boost its security and prove it can prevent future cyberattacks. 'It keeps alive the right for the OPC to initiate a complaint and then go into a full investigation should PowerSchool not come through,' Bernier said in an interview. 'PowerSchool is not off the hook at all.' Story continues below advertisement The OPC said Tuesday that privacy commissioner Philippe Dufresne had decided to end his investigation into the breach after PowerSchool 'took measures to contain the breach, notify affected individuals and organizations and offer credit protection, and has voluntarily committed to additional actions to support its security safeguards.' According to a letter of commitment with the OPC signed last week, PowerSchool has until the end of July to provide any additional information related to the data breach to the commissioner, and will need to provide evidence by the end of this year that it has strengthened its monitoring and detection tools. By March 2026, the education software company will also need to get recertified under global information security standards and provide an independent, third-party security assessment and report to the OPC on PowerSchool's updated safeguards to protect personal information, prevent and respond to potential breaches, and other cybersecurity measures. Get daily National news Get the day's top news, political, economic, and current affairs headlines, delivered to your inbox once a day. Sign up for daily National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy Dufresne will have to review and approve PowerSchool's plans to accept or reject any recommendations from that report, as well as ensure the company meets its other commitments. The December 2024 hack accessed the personal data — including medical information and social security numbers — of millions of current and former students and thousands of staff across Canada whose schools use PowerSchool's platform. Nearly 90 school boards across Canada confirmed to Global News they had been affected by the breach, with some later receiving ransom demands. Story continues below advertisement A Massachusetts college student, 19-year-old Matthew Lane, agreed in May to plead guilty to criminal charges related to the data breach, including cyber extortion, according to U.S. prosecutors. 1:00 American college student expected to plead guilty in PowerSchool cyberattack that affected CBE Bernier said PowerSchool, unlike some companies that have faced OPC investigations, has so far appeared to be 'open and transparent' with parents, school boards and the OPC in its response to the hack, which helped bring the federal case to an end for now. She pointed out that the OPC's latest annual report, released in June, committed to ensuring companies comply with privacy regulations 'more strategically, using measures that are the most relevant and efficient for any given situation,' quoting Dufresne's opening message from the report. 'That's why I reacted to the announcement (of the agreement) with great satisfaction, because I thought, well, the OPC is making good on its commitment,' said Bernier, who currently works in privacy and cybersecurity law at Dentons in Ottawa and was not involved in the PowerSchool case. Story continues below advertisement 'We already know what happened here. Why would (the OPC) spend Canadian taxpayers' money investigating any further? So let's cut to the chase and say, 'This is what we want to see from you.'' A spokesperson for PowerSchool told Global News it was 'grateful for the Commissioner's collaboration in helping us strengthen our safeguards even further,' after working with the OPC 'to respond swiftly, transparently, and responsibly' to the data breach. A separate investigation by the Information and Privacy Commissioner of Ontario, which is looking into what role, if any, was played by provincially mandated school boards in the protection of the leaked data, remains ongoing. Bernier said that during her time at the OPC, companies 'surprisingly' followed through with their commitments to improve their privacy and security protections that brought investigations to an end in a similar way. 'The reason I say 'surprisingly' is because you always have a doubt,' she said. 'They're so powerful that you can't help but wonder, do they really submit to those? 'What you discover … is that consumer pressure is so strong that yes, when the organizations are found in default of privacy protection — particularly when it's made public — they get into line, because they want to maintain or restore customer trust.' However, she added she wants to see renewed efforts to give the OPC additional powers under federal privacy laws, particularly through the enforcement of fines and other penalties. Story continues below advertisement Efforts to amend the Personal Information Protection and Electronic Documents Act to give the OPC such powers died in the House of Commons in 2020 and 2022. 'It's absolutely necessary, in a context where the use of personal information is so highly profitable, that the misuse must entail proportionate financial consequences,' Bernier said. 'If you're going to make a lot of money using personal data, you have to be subject to paying a lot of money for misusing it.'
The Hill
5 days ago
- Business
- The Hill
How zero-knowledge tools can help us verify age and protect privacy online
In June, French President Emmanuel Macron declared that he'll ban social media for children under 15, stating, 'Platforms have the ability to verify age. Let's do it.' We've all seen what that 'verification' actually looks like: 'I'm over 18.' One click, and you're in. This is how the internet currently 'protects' minors. It's laughable, until you realize that this system is failing millions of children and teens every day. In the U.S., Federal Trade Commission Chair Andrew Ferguson also highlighted this profound inadequacy, calling simple date-of-birth entries 'little to no barrier' for underage access. This admission from a top regulator underscores what many have long known: Current systems throughout the world are failing our children. The other extreme can be even worse. Platforms requiring actual age verification often demand personal documents and store them in databases that have become high-value targets for bad actors. In December, Signzy, a major know-your-customer provider, suffered a malware attack exposing customer data, including scans of IDs and selfie biometrics. Similarly, in January, a massive data breach at education technology provider PowerSchool compromised the sensitive information of 60 million students. Such events are clear indicators of systemic vulnerabilities. Exposing personal identifiable data could lead bad actors right to the doorstep of children, youth and family members, the exact opposite of what age verification requirements are supposed to accomplish. Today's age verification tools were not designed for the digital age. Applying financial-focused risk management procedures (like 'know-your-customer') to social platforms or gaming sites is invasive and dangerous. When sensitive documents are uploaded and stored on third-party servers, data breaches aren't a matter of if, only when. For kids and families, this is unacceptable. For developers and platforms, it creates massive legal and regulatory challenges. For society, we're missing an opportunity to implement real protection that respects privacy. We're caught in a false choice: either no protection at all or too much vulnerable surveillance. But we no longer have to choose between these two failures. Zero-knowledge identity protocols remove this mutual exclusivity with enhanced security, privacy and user experience. Zero-knowledge cryptographic technology allows someone to prove something is true without revealing the underlying information. Think of it as showing you're old enough to enter a venue without showing your ID or revealing your name. The mathematical proof confirms that you meet the requirement. This approach enables users to cryptographically prove their age without exposing other sensitive information. For instance, they can confirm they are over 18 without revealing their exact birthdate or other identifiable features beyond what's necessary. The process generally involves a few key stages. Initially, a user interacts with their government-issued ID through a secure application, often on a smartphone. This interaction permits the extraction of necessary data directly from the document's secure elements. Next, a cryptographic proof is generated. This proof is a mathematical assertion that the user meets a specific age criterion (e.g., over 18). Crucially, this proof contains no personally identifiable information itself; it only confirms the truth of the age claim. This privacy-preserving proof can then be shared with an online service or platform. The platform verifies the proof's authenticity and validity using cryptographic techniques, confirming the user's age qualification without ever accessing or storing the underlying personal data from the ID. The platform learns only if the user is old enough. Major tech companies are already recognizing the potential. Google announced that it's integrating zero-knowledge proof technology into Google Wallet for age verification, with partners like Bumble already on board. Developers can integrate zero-knowledge age verification into their applications through open-source libraries and verification contracts. These systems check the cryptographic proof and confirm whether a user meets the defined minimum age threshold, all without storing or even seeing the user's full identity. The programmability of these systems is crucial for global deployment. Zero-knowledge protocols can automatically adjust to local regulations (e.g., age 16, 18 or 21) while maintaining the same privacy guarantees. Consider how this technology transforms real-world platforms. Gaming sites verify users meet age requirements without collecting ID copies. Dating apps confirm users' real ages without accessing other personal information. Content platforms gate mature content based on cryptographic proof rather than self-reported information or vulnerable document storage. This is privacy-first protection, enforceable by code and leveraging proven cryptographic technologies. Users maintain full control over their information, choosing what to disclose in each online interaction. We shouldn't accept that verifying a child's age online requires sacrificing privacy, or that doing nothing is acceptable either. The regulatory landscape is already shifting. New York's SAFE for Kids Act began requiring platforms to use age determination technology and restrict 'addictive' feeds to minors without parental consent. Other legislation, like the federal Take It Down Act and state-level App Store accountability acts, also signals a move towards stricter online safety, though some raise privacy concerns about mass data collection. Current age verification methods are also proving unreliable. The United Kingdom's Office of Communications recently fined OnlyFans operator Fenix International approximately $1.4 million for providing inaccurate information about its age verification, highlighting how even 'advanced' biometric systems can fail. As legislation aimed at protecting minors online continues to evolve, the technology industry should lead by example. We can protect vulnerable users without exposing their most sensitive information to bad actors. We can continue with systems that either don't work or create massive privacy risks, or we can embrace cryptographic solutions that protect both children and privacy. Platforms now have access to privacy-preserving tools that respect both user autonomy and legal responsibility. There's no excuse not to build better. Parents deserve peace of mind, kids deserve safety and we all deserve a more thoughtful internet. With increasing regulatory scrutiny and growing public demand for better protections, the impetus to shift away from ineffective checkboxes and invasive data collection toward genuinely workable solutions is clear: It is time to move on from the checkbox era. Rene Reinsberg is an entrepreneur who has co-founded multiple ventures including Celo, Self and Locu (acquired by GoDaddy). Jane Khodarkovsky is a former trial attorney and human trafficking finance specialist in the Money Laundering and Asset Recovery Section, Criminal Division, in the U.S. Department of Justice. She is currently a partner at Arktouros.
CTV News
5 days ago
- CTV News
Federal probe ends into cybersecurity breach that impacted school systems, including SMCDSB
The federal privacy watchdog has ended its investigation into a cybersecurity breach involving a student information system used across Canada, including the Simcoe Muskoka Catholic District School Board (SMCDSB). In January, the Simcoe Muskoka Catholic board issued a letter to families notifying of a cybersecurity breach of the PowerSchool portal - the Student Information System. 'We use this system to store our student-related data. The breach occurred on PowerSchool's server and has impacted many school districts across North America and even internationally,' the SMCDSB January 8 letter stated. The breach exposed personal data such as names, contact information, birth dates, and, in some cases, medical details and Social Insurance Numbers of students, educators, and parents. Pauline Stevenson, communications manager for SMCDSB, confirmed to CTV News in May the board had been told all its student data had been deleted and that the board had not received any ransom requests from hackers. The board said while hackers had accessed a PowerSchool support portal, its network had not been compromised. 'PowerSchool is confident that this situation is resolved and they believe your child's data is secure,' the January letter added. On Tuesday this week, the Office of the Privacy Commissioner of Canada said it was satisfied with PowerSchool's response to the incident, including actions to contain the breach and improve security. While the federal investigation has ended, provincial privacy offices in Ontario and Alberta are continuing their own reviews. With files from The Canadian Press
Global News
6 days ago
- Global News
Federal probe into massive PowerSchool data breach is being discontinued
Canada's privacy commissioner said Tuesday that he has discontinued his investigation into the PowerSchool data breach after the education software company agreed to take measures to improve its cybersecurity. The December 2024 hack accessed the personal data — including medical information and social security numbers — of millions of current and former students and thousands of staff across Canada. The office of privacy commissioner Philippe Dufresne (OPC) said in a news release that PowerSchool 'took measures to contain the breach, notify affected individuals and organizations and offer credit protection, and has voluntarily committed to additional actions to support its security safeguards.' Those actions include 'strengthened monitoring and detection tools,' the OPC release said. 'In light of the actions that PowerSchool has already implemented, and those that it will implement over the coming months, Privacy Commissioner of Canada Philippe Dufresne has decided to discontinue the investigation that he launched in February but will be monitoring to ensure that all of PowerSchool's commitments are fully met,' it continued. Story continues below advertisement 'I welcome PowerSchool's willingness to engage with my Office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada,' Dufresne said in a statement. 'Federal privacy law requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information. This is particularly important when dealing with children's personal information.' 2:08 Calgary law firm files lawsuit over massive PowerSchool data breach Dufresne's investigation began more than a month after the company began to notify PowerSchool users about the data breach, which impacted school boards across most of North America and other countries that PowerSchool serves. Get daily National news Get the day's top news, political, economic, and current affairs headlines, delivered to your inbox once a day. Sign up for daily National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy Global News contacted every school board across the country early this year to determine how many were impacted. Of those that responded, at least 87 were affected. Data from those that provided numbers showed that more than 2.77 million current and former students were confirmed to have been affected. In addition, 35,951 staff members, including teachers, were confirmed impacted, with one Nova Scotia school board advising that 3,500 parents' data was also accessed. Story continues below advertisement Some Canadian school boards informed families in May that they had received new ransom demands involving the stolen data. A Massachusetts college student, 19-year-old Matthew Lane, agreed in May to plead guilty to criminal charges related to the data breach, including cyber extortion, according to U.S. prosecutors. Sources close to the investigation told The Associated Press and Reuters that PowerSchool was the company identified as 'Victim 1' in the criminal complaint. 0:38 Teen charged in mass school data breach tied to PowerSchool What did PowerSchool agree to? According to a letter of commitment with the OPC signed last week and released Tuesday, PowerSchool has until the end of July to provide any additional information related to the data breach to the commissioner, and to confirm if it plans to implement any additional authentication process in its affected PowerSource platform. Story continues below advertisement The company will need to provide evidence by the end of this year that it has strengthened its monitoring and detection tools, that those tools can 'identify patterns of irregular activity,' and that it has thoroughly reviewed and readjusted its system access privileges for both security and operational needs. By March 2026, PowerSchool will need to show that it has obtained recertification of the global information security standard known as ISO/IEC 27001. It must also provide an independent, third-party security assessment and report to the OPC on PowerSchool's updated safeguards to protect personal information, prevent and respond to potential breaches, and other cybersecurity measures. If the report includes recommendations for PowerSchool to implement, the company must show the OPC whether it has accepted them and provide an implementation plan and timelines, or provide reasons why it has not accepted them. The commissioner will have to review and approve those submissions. PowerSchool also agreed to continue supporting affected clients and carry out its regular reporting and notification obligations under federal and provincial privacy laws. The OPC letter said PowerSchool's commitments are 'a fair and reasonable response to the complaint' that sparked Dufresne's investigation in February. Global News has asked the office of the Information and Privacy Commissioner of Ontario if its investigation into the PowerSchool data breach remains ongoing. Story continues below advertisement 'We take the privacy and security of student, educator, and family data extremely seriously,' a PowerSchool spokesperson told Global News in an emailed statement responding to the OPC's announcement. 'Following the 2024 security incident, we worked closely with the Office of the Privacy Commissioner of Canada to respond swiftly, transparently, and responsibly. We're grateful for the Commissioner's collaboration in helping us strengthen our safeguards even further. PowerSchool remains fully committed to making continual investments in our security infrastructure and the ongoing support of our education partners across Canada.' — with files from Global's Sean Previl
CBC
6 days ago
- CBC
Federal privacy watchdog discontinuing investigation into student data breach
The federal privacy watchdog says it has discontinued the investigation into a cybersecurity breach involving a student information system used across Canada, citing its satisfaction with the company's response and commitment to added security measures. Privacy Commissioner Philippe Dufresne says the probe was launched in February after his office received a breach report from U.S.-based PowerSchool, which provides the affected software, and a complaint about the incident. The commissioner's office says a hacker had obtained data such as names, contact information, birth dates and, in some cases, medical information and Social Insurance Numbers of current and former students, current and former educators, and parents across several provinces and territories. It says PowerSchool took measures to contain the breach, notified affected individuals and organizations and offered credit protection, and has voluntarily committed to additional actions including strengthened monitoring and detection tools. The commissioner's office says those steps have prompted Dufresne to discontinue the investigation into the breach, but the office will monitor PowerSchool's commitment to its strengthened security measures. It says the decision to stop its probe won't impact ongoing investigations into the breach by provincial privacy watchdogs in Ontario and Alberta. "I welcome PowerSchool's willingness to engage with my office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada," Dufresne said in a news release Tuesday. The Toronto District School Board, the largest school board in Canada, said in a letter to parents and caregivers in May that it had recently learned data stolen in December 2024 was not destroyed and that a "threat actor" had demanded ransom. PowerSchool had said it paid the ransom in hopes of preventing public release of the stolen data. "We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve," it said in a statement in May. PowerSchool said in a letter to the commissioner Tuesday that it will confirm any further forensic and authentication steps it will take by the end of this month, and the company will provide evidence that it has strengthened its security monitoring tools by the end of this year. It said PowerSchool will provide the commissioner with an independent security assessment and report of its information safeguards by March 2026.
