As details of a data breach affecting school boards across Canada continue to emerge, cybersecurity expert Aaron Mauro is encouraging everyone to answer the collective call to enhance online security.
First discovered on Dec. 28, the cyberattack targeted PowerSchool, an administration software platform used widely by school boards across North America. Cybercriminals gained access to the platform and stole student records in several Canadian provinces.
The high-profile data breach has since drawn the attention of Canada's privacy commissioner, whose office is now looking into the incident.
"The issue of cybersecurity is not merely a problem for IT to solve, rather a problem society and communities must solve together," says Mauro, Associate Professor of Digital Media at Brock University.
PowerSchool's reporting is offering a range of supports to affected students, including identity theft protection for up to two years.
In the case of employees with compromised SSN/SIN numbers, the risk of identity theft will last much longer if their data is traded or aggregated into other collections of compromised data.
Organizations and institutions of all sizes are exposed to global threats by the very fact of internet connectivity, Mauro says.
"We should instill strong security literacy in our workforce and foster resiliency by making cybersecurity practices commonplace and common sense," he says. "Identifying and protecting systems from threats should be an everyday practice for all employees working in environments with sensitive data, such as education."
According to Microsoft's 2024 Digital Defense Report, the educational sector makes up 21 per cent of all cyberattacks.
"The people who commit crimes against schools are not good people; they are attacking a target that does not have intrinsic financial value the inherent vulnerability of children," Mauro says.
The PowerSchool breach is an example of a "hack and leak attack," he says, where the threat of leaking data requires schools to pay to protect students' privacy. While PowerSchool paid a fee to those responsible, there are no guarantees the stolen data was destroyed.
According to the Canadian Centre for Cybersecurity, paying ransoms in a hack and leak operation is risky, noting that cybercriminals may demand more money, continue to attack or simply sell the compromised data online.
"Of course, criminals are not trustworthy, so there is very little assurance that they would keep the exfiltrated data private," Mauro says.
In Ontario, digital infrastructure should be the responsibility of the Ontario Digital Service, he says. "Moving forward, we could all benefit from a centralized system for education records that is as well protected as our medical records, tax records and other government operations."
Mauro says parents and guardians should also be advocating for increased support for security processes in schools.
"Practices like Multifactor Authentication and strong password policies will help harden these targets a great deal," he says.
In the case of the PowerSchool data breach, Mauro says parents have a right to be informed regarding response and recovery efforts, and that transparent reporting of cyberattacks helps other organizations better prepare for future attacks.
"Relying on under-regulated, closed source, proprietary software for security is perhaps no longer the best choice for our children," he says.
