Ransom Paid in Saskatchewan Data Breach Raises Privacy Concerns

A significant data breach affecting the Prairie Spirit School Division (PSSD) highlights the complexities of cybersecurity and the implications of ransom payments. The incident, which came to light in a report by Grace Hession David, Saskatchewan’s Information and Privacy Commissioner (SIPC), involved hackers demanding a ransom of 30 bitcoins—valued at approximately $2.85 million USD—to prevent the release of sensitive personal information belonging to students, parents, and teachers.

The breach, which impacted records of 28,635 students and 4,130 teachers, is part of a troubling trend in cybersecurity where educational institutions find themselves increasingly targeted. PSSD, which serves communities near Saskatoon, notified the SIPC on January 9, 2025, after realizing the extent of the breach.

Details of the Breach and Ransom Payment

According to the SIPC report, the hackers threatened to expose personal data, including names, dates of birth, social insurance numbers, and medical information. The breach not only affected PSSD but potentially involved data from “more than 60 million students and 10 million teachers,” as outlined in American court documents related to the case.

PSSD had been in the process of discontinuing its relationship with PowerSchool, the software company responsible for managing its information systems, since January 2022. The school division had requested the cancellation of its subscriptions and expected that all data would be deleted following termination, as stipulated in their contract with PowerSchool. Yet, when PSSD sought confirmation of data deletion in early 2024, they received vague responses, leaving them unclear about whether their information had been fully purged.

The situation escalated in September 2024 when a “threat actor” accessed data using login credentials of a PowerSchool contractor. By December, the stolen information had reportedly been transferred to a server located in Ukraine, prompting PowerSchool to make the controversial decision to pay the ransom. The company has not disclosed the amount paid, but emphasized that it believed this action was necessary to protect its customers.

Implications for Data Management and Security

The SIPC report underscored the grim reality of ransom payments, stating that “PowerSchool paid a ransom fee to the threat actor despite the risk that the stolen data could never be confirmed as purged.” Hession David noted that there can be no guarantees in such circumstances, raising serious questions about the effectiveness of ransom payments as a means of mitigating risk.

The commissioner identified two main factors contributing to the breach. First, the lack of multifactor authentication—a security measure that requires users to provide additional verification beyond a password—was a critical oversight that could have prevented unauthorized access. Second, PowerSchool’s failure to adequately purge data following the termination of their services contributed to the vulnerabilities that led to the breach.

Hession David recommended that PSSD implement stricter auditing processes for its service providers to ensure compliance with contractual obligations and provincial privacy legislation. Additionally, she advised the school division to cease the unnecessary collection of sensitive personal information, such as Social Insurance Numbers and Health Services Numbers, to mitigate the risk of future breaches.

She commended PSSD for its efforts to communicate with affected individuals promptly, emphasizing the need for public bodies to be proactive in managing and protecting sensitive data. The report serves as a cautionary tale, reminding organizations that the responsibility for data integrity remains with them, even when outsourcing to third-party providers.

In light of the incident, Hession David urged individuals affected by the breach to monitor their credit reports and remain vigilant against potential fraudulent activities. The data stolen in such breaches can often find its way to the Dark Web, where it may be exploited by criminals.

As educational institutions continue to face cybersecurity threats, the lessons learned from the PSSD breach will be crucial in shaping future data management practices and ensuring the safety of personal information.