The school board said no student or staff social insurance numbers or credit card information were impacted by the breach.
Student and staff information at the Ottawa Catholic School Board has been accessed in a massive North America-wide cyber attack.
The OCSB uses PowerSchool, a student information system provider that was the target of the breach. The U.S.-based company informed school boards across North America of the data breach on Jan. 7 and confirmed that OCDSB data was accessed on Jan. 8, said the OCSB.
The board, which promised updates as they become available, said PowerSchool has taken full responsibility for the breach and “that it wasn’t as a result of any action or inaction on the part of the OCSB.”
In a statement released Tuesday and in a letter sent to parents and guardians, the board said it has confirmed that the breach affected all current students and staff, as well as former students and staff who were at the school board during or after the 1998-1999 school year.
No staff or student social insurance numbers or credit cards numbers were affected. However, the incident affected numerous other pieces of information.
Among the student data accessed were names (first, last, legal, and preferred), date and place of birth, addresses, email addresses, gender, grade level, OCSB student number and Ottawa Education Number.
For some students, the breach also affected assessment or notes from the Family Welcome Centre; previous school names and addresses; life-threatening and non-life threatening medical information and family alert notes. Staff information that was accessed included names, employee numbers, Ontario Minister of Education numbers, board email addresses and gender.
Evening Update
For students registered before Sept. 2023, the breach includes guardian names and email addresses as well as emergency contact phone numbers.
“PowerSchool has said it will offer two years of complimentary identity protection services for all students and staff whose information was involved and two years of complimentary credit monitoring services for all adult students and staff whose information was involved,” said the OCDSB.
“They are doing this despite the fact that no OCSB student or staff social insurance numbers or credit card information were impacted by this incident.”
According to PowerSchool, its products are used by 76 per cent of students in Canada, and the company employs more than 3,000 people, with 200 based in Canada.
The software “provides districts and school boards throughout Canada with interoperable technology that works for them, including student information management, provincial reporting, online registration, gradebook, learning management, assessment, special/inclusive education, HR, finance, payroll, and student services,” according to PowerSchool.
The privacy commissioner of Canada, Philippe Dufresne, said his office is in contact with PowerSchool to obtain more information about the breach and to provide the company with information about breach response and reporting requirements under privacy legislation.
“This will allow us to convey our expectations to the company regarding their response to the breach and to determine next steps,” said Dufresne in a statement.
“I am also in contact with my provincial and territorial counterparts regarding this matter.”
Dufresne said he is concerned about the potential impact such an incident may have on the personal information of students across the country.
“Federal privacy law requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information,” said Dufresne “This is particularly important when dealing with children’s personal information.”
The three other Ottawa school boards say they have not been affected by the breach.
The Conseil des écoles publiques de l’Est de l’Ontario (CEPEO, the French-language public board) said it is not using the software affected by the breach and no data was compromised.
In a letter to families and staff in French, the Conseil des écoles catholiques du Centre-Est (CECCE, the French-language Catholic board) said the software is used by boards to store “a certain amount of information on their students,” but is no longer used by the CECCE for this purpose.
“After verification, PowerSchool experts confirm that the personal data of our students and staff members has not been the subject of a cyberattack,” said the CECCE.
The breach has affected different school boards in different ways across the country.
In Nova Scotia, for instance, the social insurance numbers of about 250 employees of the Cape Breton-Victoria Regional Centre for Education who worked in the region prior to 2010 were compromised, according to the Nova Scotia Department of Education, but no students, parents or staff who started after 2010 have social insurance information in PowerSchool.
Our website is your destination for up-to-the-minute news, so make sure to bookmark our homepage and sign up for our newsletters so we can keep you informed.
