PowerSchool Commits To Strengthen Breach Measures Following Cyberattack, As Requested By Canadian Privacy Commissioner

On July 22, 2025, the Office of the Privacy Commissioner of Canada (OPC) announced that PowerSchool Holdings, Inc. (PowerSchool) has agreed to fulfill certain commitments, at the OPC’s request, to strengthen its security measures following a cyberattack which affected the personal information of millions of individuals in Canada.

PowerSchool is an education technology software company that provides services to several school boards and schools in Canada. In January 2025, PowerSchool reported to the OPC that it experienced a breach of its security safeguards whereby a threat actor gained unauthorized access to PowerSchool’s online environments using a contractor’s compromised credentials. As part of this breach, the threat actor obtained data such as the names, contact information, dates of birth, medical information and Social Insurance Numbers of certain students, educators, and parents across Canada.

The OPC recently published PowerSchool’s Letter of Commitment, containing PowerSchool’s voluntary commitments to the OPC with respect to additional actions that it will take to strengthen its security safeguards, continue addressing the breach, and prevent future breaches. The OPC also acknowledged that PowerSchool took measures to contain the breach, notified affected individuals and organizations, and offered credit protection. Examples of PowerSchool’s commitments as outlined in the Letter of Commitment include:

• strengthening its monitoring and detection tools;
• conducting a review and readjustment of its system access privileges to align with security best practices and operational needs;
• providing the OPC with information demonstrating that PowerSchool has obtained recertification of ISO/IEC 27001 compliance; and
• providing the OPC with a security assessment and report (with certain specified information) conducted by an accredited and independent external security assessment firm.

In view of PowerSchool’s actions and commitments, the OPC discontinued its investigation into the matter but has stated that it will continue monitoring to ensure that all of PowerSchool’s commitments are fully met. The OPC clarified that its decision does not affect the ongoing investigations by the provincial Information and Privacy Commissioners in Ontario and Alberta.

To read the full Letter of Commitment, click here.

Summary By: Steffi Tran