Guarding Your Family: Lessons from Recent School Data Breaches

The safety of personal data has never been more critical. Whether it’s your own personal information or that of your children, the reality is that sensitive details are increasingly vulnerable to cyberattacks. A significant data breach at several Canadian school division has heightened concerns about how well personal information is protected, and raised the crucial question of who is responsible for safeguarding it.

A Massive School Data Breach

The December 2024 breach, affected school boards across six provinces in Canada. The cyberattack compromised a vast array of sensitive personal data. PowerSchool, a U.S.-based company, informed Canadian school districts this week that hackers infiltrated its systems using a compromised credential to gain access to one of their portals. While the specifics of how the attack was carried out have been kept under wraps, the scale of the breach is chilling.

The stolen data includes:

• Student data: Personal details like names, birth dates, schools attended, home addresses, contact information for parents, guardians and emergency contacts.  
• Teacher and staff (including bus drivers’) data: This includes sensitive payroll details, tax information, beneficiaries’ addresses, union numbers, and more.
• School leadership: Information on trustees and superintendents, which typically includes personal contact details and financial records.
• Post-secondary student data: For institutions with a focus on international students, this breach also involved visa information, immigration details, and financial records.

This breach didn’t just affect the immediate students and staff members but has an exponential ripple effect, impacting a far broader network of families, teachers, and school staff.

Who’s Responsible for Protecting Your Data?

The question that often arises after a breach like this is: who is responsible for protecting your personal information? The answer is multifaceted. Schools, school boards, and third-party service providers all play a role in safeguarding the data they collect.

1. Timely Notification: When a breach occurs, institutions are required to notify affected individuals as soon as possible. This is crucial because it allows you to take immediate steps to protect yourself from the consequences of the breach, such as identity theft or fraud. Whether through email, letters, or a public announcement, you need to know what information was compromised and what actions you should take.

2. Support and Mitigation: Following a breach, the institution must offer support to help mitigate the damage. This could involve issuing letters to banks or other entities, informing them of the situation, or offering guidance on how to prevent further issues. While initial communication might be a generic message, the institution should still offer a road map for you to follow in addressing the situation.

3. Data Storage and Security: Institutions must store personal data securely and according to the guidelines set out for their jurisdiction. Sensitive information, such as financial or medical details, should not be stored on cloud servers unless they are properly encrypted and protected by strong security measures. In many cases, personal information should be spread across multiple servers to minimize the risk of complete exposure in the event of a breach.

4. Data Access Control: When it comes to sensitive data, the institution must have strict access control protocols. This means ensuring that only authorized personnel have access to personal information, and that those accessing it are doing so for legitimate purposes.

The Reality of Data Breaches

This breach illustrates just how vulnerable personal data can be, even in institutions we trust. Schools, hospitals, government agencies, and companies all maintain extensive databases containing sensitive personal information. And while we rely on these institutions to protect our data, the truth is that breaches are becoming more common.

It is an illusion to think you are the only one who puts information about you onto the web. However, you should make every effort to know what is out there and reduce your footprint where possible. We can’t control what other people or organizations do with our data, we can take steps to minimize the risks and protect ourselves from identity theft and fraud.

What Can You Do to Protect Yourself?

Even if you can’t prevent breaches from happening, there are steps you can take to reduce the risks:

1. Monitor Your Financial Accounts: One of the first things you should do after a breach is to keep an eye on your financial accounts. Watch for any unauthorized charges or suspicious activity. If you spot something unusual, act quickly to report it and stop further damage.

2. Check Your Credit: It’s important to regularly check your credit reports for any signs of identity theft. If your information was exposed, you may find new accounts or other fraudulent activity in your name. The sooner you catch it, the better.  In the United States you can even freeze your credit reducing your chances of being compromised even further.

3. Use Strong Passwords: Online security starts with strong, unique passwords. Avoid using easily guessed information (such as your name, birth date, or "password123"). Instead, create complex passwords with spaces and consider using a password manager to store them securely.

4. Enable Two-Factor Authentication: Many online services now offer two-factor authentication (2FA) as an added layer of security. By enabling 2FA, you make it more difficult for cybercriminals to gain access to your accounts, even if they manage to steal your password.

5. Be Wary of Phishing Scams: After a data breach, criminals often use phishing tactics to exploit the situation. Be cautious of unsolicited phone calls, emails, or messages that ask for personal information. Always verify the source before responding.

6. Limit Your Digital Footprint: While it’s impossible to control everything, you can take steps to limit your exposure online. Think carefully before sharing personal information on social media or with organizations that don’t need it.

The Bigger Picture: Who’s to Blame?

While this breach highlights the importance of securing personal data, it also raises important questions about accountability. Schools and organizations that store personal data have a responsibility to protect it. But we also need to recognize that in today’s interconnected world, no system is completely safe. The reality is that we don’t have control over all of our personal data, but we can still take action to protect ourselves when things go wrong.

In the end, the responsibility lies not only with schools and vendors to secure our data but also with us as individuals to be aware of the risks and take steps to safeguard our personal information. Data breaches are a grim reminder that our personal information is always at risk. Being informed, vigilant, and proactive is the best way to minimize the impact on your life.