Inadequate online security controls and poor oversight by school boards set the stage for a massive cyberattack that compromised the personal information of millions of current and former Ontario students, the province’s privacy commissioner says.

“I conclude that the institutions did not have reasonable measures in place to prevent unauthorized access to the personal information in their custody or control” as required, says the report released Tuesday by Patricia Kosseim on the 2024 incident that targeted the cloud-based software used by boards, accessing student data as far back as 1965.

There “were shortcomings in certain institutions’ agreements with PowerSchool that lacked reasonable provisions to ensure the privacy and security of the personal information held by PowerSchool on be

See Full Page