ST. JOHN’S – Newfoundland and Labrador’s information and privacy commissioner says governments need to work together to hold big technology companies to account in the wake of a cyberattack that affected millions of Canadians.
Kerry Hatfield released a report Tuesday after her office’s investigation into a 2024 hack of the PowerSchool platform. The breach hit schools across the U.S. and Canada, and exposed personal information belonging to current and former students, teachers, parents and caregivers.
Large tech companies behind dominant platforms can use their size and reach against demands for better privacy protections, especially when those demands come from smaller governments, Hatfield said.
“They’re not always eager to comply with really robust security and privacy measures,” she said in an interview. “I think that smaller jurisdictions should work together with other governments, both federal and provincial, to ensure tech companies are taking seriously security and privacy of Canadians.”
Nevertheless, Hatfield concluded Newfoundland and Labrador’s Education Department did not have adequate measures in place to monitor whether the American company was complying with its contract or security obligations.
The PowerSchool information system helps schools manage data such as grade and attendance and allows teachers to communicate with parents and administrators. Every school in Newfoundland and Labrador uses it, Hatfield’s report said.
The hacker accessed data belonging to more than 285,000 current and former students, teachers, parents and caregivers, including their social insurance numbers, addresses and phone numbers.
“Anyone who attended as a student or had a child in the K — 12 educational system in Newfoundland and Labrador from 1995 onward likely had personal information taken in the PowerSchool breach,” Hatfield’s report said.
She found the provincial Education Department was collecting some unnecessary data, including health-care numbers, which were also accessed.
Her report outlined a series of recommendations, including that the department renegotiate its agreement with PowerSchool to address the privacy and security of personal information.
A Massachusetts man was sentenced in October to four years in prison after pleading guilty to the extortion of two companies, including PowerSchool. The company later said it paid a ransom to the threat actor and provided credit monitoring and identity protection services to those affected.
Privacy watchdogs in Ontario and Alberta investigated the breach, concluding in a report last November that more than five million Canadians were affected by the cyberattack and school boards lacked adequate response plans, among other issues.
This report by The Canadian Press was first published May 12, 2026.
