This article originally appeared in The Hub.
By Paul W. Bennett, February 5, 2025
Schools are sitting ducks for hackers and cybersecurity attacks. The latest and most glaring example was the massive security breach of student information systems following the hack of education software giant PowerSchool. This breach, which affected dozens of North American schools and, we know now, at least eighty in Canada, was revealed to the public in early January, in a rash of managed media disclosures. Without any national or international monitoring networks, the hackers based overseas attacked with impunity. It took two full weeks after the reported breakdown before students and staff were finally advised of the breach. It was, in the popular idiom, just the visible tip of the iceberg.
Though the cyberattack was treated by school officials as a simple matter of “containment” within each state, province, or school district, it is a big deal. A small Nova Scotia school district in Cape Breton was among the first to disclose the extent of the breach, but it was only one of dozens of North American jurisdictions subject to internet theft, including school systems from Alberta to Newfoundland and Labrador. Most recently Canada’s largest district, Toronto District School Board, finally came clean, revealing that the data breach involved students’ names, birthdates, health card numbers, and other personal information going back forty years to 1985. More than 2.4 million students, Global News reported, had been affected at Canada’s two largest districts, Toronto DSB and Peel Region DSB.
The growing cybersecurity threat
Cybersecurity ranked as the number one priority of K-12 technology leaders in 2023, for the fifth year in a row, according to a recent report. The January-February 2023 survey, as reported in Education Week, canvassed more than 1,200 U.S. school district technology managers who revealed that they were struggling to cope with and contain cybersecurity problems becoming not only more common but more complicated to combat. Between 2016 and 2022, American cybersecurity trackers have documented 1,619 publicly disclosed cyberattacks.
Schools are a fertile frontier for hackers. Today’s school districts run on electronic data and much of it on their online servers, providing wide access to their systems to staff, students, and parents. They now rely heavily on cloud-based online storage systems to manage that data. Over the past decade, schools have also become even more reliant on technology to aid instruction and have dramatically increased their use of online programs and apps for teaching.
Hacking can wreak havoc on school systems, as breaches and data thefts have the potential to interrupt teaching and learning, derail school budgets, and disrupt parent communication, as well as threaten the security of students’ and staff members’ private information. Eighty percent of American school IT professionals in 2023 reported that they had been hit by a ransomware attack in the past year.
Hidden vulnerabilities
American school technology leaders, supported by the U.S.-based Consortium for School Networking, are way ahead of us in embracing cybersecurity protection. What’s most disconcerting is that even those on top of the issue do not feel fully prepared for present and future cyberattacks. In May of 2023, they reported that while there was no way to eliminate the risk of data breaches, it was time for districts to take concrete steps to mitigate them.
Flat networks and small cybersecurity budgets are a fundamental problem, particularly in Canadian K-12 school districts. The University of Guelph’s head of cybersecurity, Ali Dehghantanha, saw it as a storm warning for more attacks in coming years. “When we look into the schools and school boards,” he told CTV News Kitchener, “there is little to no investment in cybersecurity” and it “makes them easy targets.” It’s so porous, he added, that the safety and well-being of students is at potential risk.
Why it happened
The surveillance state has intruded into the schoolhouse. Protecting the cybersecurity of students and staff should, by now, be a school system priority because most, if not all, data and communications are conducted online, and more so since the pandemic. Education budgets need to be increased to counter the mushrooming cybersecurity problem, ideally in collaboration with national and international police and security agencies.
The hackers, traced by U.S. cyber watchdogs to IP addresses in Ukraine, struck between December 22 and 28, one of the most vulnerable times on the pre-holiday school schedule. Clearly, this problem is bigger than just Canada can handle and will require a coordinated national and international strategy to provide better cybersecurity for school systems. The expert advice: do not let your guard down, keep your patches up-to-date, change your passwords, and be on alert for unusual online activity.
Wake up and be more responsive
One of the affected school districts, Cape Breton Regional Centre for Education (CBVRCE) in Nova Scotia, was typical of the smaller boards victimized across Canada. Students and staff were advised a day after most others. Some 250 veteran employees of CBVRCE, hired before 2010, were eventually informed their social insurance numbers were compromised by the international hackers. To make matters worse, the provincial education advisory only came after the president of the Nova Scotia Teachers Union, Peter Day, issued a public letter demanding answers. It took a month before the full extent of the cyber breach was revealed in Canada’s largest metropolitan school districts.
Clearly, school authorities right across Canada were caught flat-footed and played catch-up in the wake of the PowerSchool data breach. Communicating the news was slow as molasses because it was managed by PowerSchool in collaboration with school authorities from state to state, province to province.
In terms of lessons learned, preventing these types of breaches from happening in the future is priority number one. But at the very least in the meantime, improving the transparency and communication following such incidents should be paramount. Students, staff, and parents have a right to personal privacy and should not be first learning about it from the media.
Paul W. Bennett, Ed.D., is the director of the Schoolhouse Institute, a senior fellow at the Macdonald-Laurier Institute, and chair of researchED Canada. He is the author of The State of the System: A Reality Check on Canada’s Schools (2020) and the research report “Pandemic Education Fallout: Learning Loss, Collateral Damage and Recovery in Canada’s Schools” (Cardus Canada, November 2023).