Cyberattacks targeted at schools shows that educational institutions are vulnerable

BY PAUL JUNOR

The reported increase in cyberattacks targeted at educational institutions is an issue that is of major social importance. Hundreds of schools across Canada have been targeted in a massive cyberattack. There was a data breach involving software named PowerSchool, which is utilized by many North American’s school boards to store vital student data.

They are defined as attempts to gain unauthorized access to computer systems and: steal, modify, or destroy data. They are distributed by individuals, or organizations for: political, criminal, or personal intentions to destroy, or gain access to classified information.” Some of the different types of cyberattacks and threats include:

• Malware: Malicious software disguises itself as a trusted email attachment or program (i.e. encrypted document or file folder) to exploit viruses and allow hackers into a computer network.
• Distributed Denial of Service (DDos): This occurs when several hacked computer systems target a site, or network and deny the user experience on that specific websites or network.
• Phishing: It is the act of sending fraudulent emails on behalf of reputable companies.
• SQL injection attacks: These occur when a cybercriminal exploits software by taking advantage of apps (i.e., LinkedIn, Target) to steal, delete, or gain control of data.
• Cross-site scripting (XSS): This occurs when a cybercriminal sends a “script-injected,” or spammed website link to your inbox, and it’s opened – releasing personal information to said criminal.
• Botnets: These occur when multiple computers, normally on a private network, are infected with viruses and other forms of malicious software, (i.e. pop-up messages or spam).
• Ransomware: This is a type of malicious software, or malware, that threatens a victim by destroying, or blocking access to critical data or systems until a ransom is paid.

Some of the recent cyberattacks listed on the website include:

• The US Office of Personnel Management (which occurred in April 2015)
• Over 147.9 M customers in the: US, UK, and Canada credit card details stolen, and social security numbers stolen by hackers of Equifax in 2017
• Russian cyberattacks by hackers who stole data
• A ransomware attack in March 2021 of Insurance company CAN Financial, which resulted in a USD $40 million settlement paid out by the company

In a letter to parents and caregivers by Stacey Zucker (Interim Director of Education for the Toronto District School Board) it describes the extent of the data breach. The letter states, “On Tuesday, January 7^th, 2025, PowerSchool notified the TDSB and other school boards in Ontario and across North America that they had experienced a data breach between December 22^nd – 28^th, 2024. Our cybersecurity team promptly activated our response plan, taking immediate steps to ensure that our critical systems remain operational.”

The letter outlines how PowerSchool responded to the cyberattacks and what steps it took. It notes, “Working with PowerSchool, we are conducting a thorough investigation of the incident and what personal information may have been affected. At this point in time, we are still assessing the exact information that may have been assessed or exported from the application. PowerSchool has informed us that it has received confirmation that the data accessed by an unauthorized user has been deleted and that no copies of this data were posted online.”

The letter concludes, “If it is determined that any personal information has been impacted, we will let you know as soon as possible. In the meantime, and out of an abundance of caution, we have notified the Information and Privacy Commissioner of Ontario. We know this news may be concerning, but please know that we are doing everything possible to learn more from PowerSchool about what occurred and share that information with you.”

On Monday, January 20^th, in an update titled, “Letter to Staff re: Update on PowerSchool Cyber Incident-Data Breach Notice” the TDSB revealed additional details. The letter mentioned that it is contacting all current staff members, such as those in these areas:

• Principals and Vice-Principals
• Teachers
• Classroom support staff (e.g. Educational Assistants Dedicated Early Childhood Educators, Child and Youth Workers, Special Need Assistants)
• Office Staff (Office Administrators, Assistants, Secretaries)
• Guidance Counsellors
• Superintendents
• Administrative Liaisons

The letter indicates that from its investigation, personal information was accessed such as:

• First, middle and last names
• Employee number
• TDSB email address

The letter concludes that TDSB “Is working with PowerSchool to ensure an incident like this does not happen again in the future.”