Written by: Hector Kearns
The breach of a trusted third-party network relied upon by school boards across Canada has rung alarm bells and rallied Ontario educators, politicians and parents to heightened awareness. The recent hack of PowerSchool has left everyone shaken.Global News reports that more than 2.4 million students have been impacted at Ontario’s two biggest school boards — the Toronto District School Board and Peel District School Board. Personal information has been accessed, with some records dating back to 1995. Such penetration underscores a critical need to adopt a new approach to IT security: Trust but verify.
This isn’t just about pointing fingers. It’s about recognizing that our society has entered a new age where a healthy mistrust of all partners and suppliers has or will soon become the norm. Just because a vendor believes they are secure, doesn’t mean it’s true.
In 2023, one of KTI’s closest allies was hacked. Their business networks were locked down as tight as a drum with everyone trained and fully aware of online threats, when their accounting firm was penetrated. Months earlier, their accounting firm’s CTO had distributed a rigid new data security policy. Yet, the hackers used a senior accountant’s credentials to access their payment processor whereupon they pilfered more than $20,000 CAN. Lesson learned. We helped them get sorted, rebuilding their IT infrastructure for improved resilience. But more importantly, we help victims become vigilantes. They now routinely verify all their partners’ security claims, asking for proofs, or seeking 3rd party validations; they’ll check credentials, and even perform their own ethical hacking to test responses.
School boards have to do the same thing. They need to schedule regular IT security consulting and accurately assess the security measures put in place by their partners and suppliers, in addition to their own internal systems and devices.
The Sad Age of Trust but Verify
The “trust but verify” principle isn’t new. The phrase originates from an old Russian proverb which regained prominence during Reagan’s dealings with Gorbachev. It was used then as today to emphasize the importance of verifications in business agreements. Today, the need for independent verification is equally relevant for CEOs, system administrators, and especially educators who handle sensitive data.
In the PowerSchool breach, an unauthorized party gained access to customer data by compromising a single user’s credentials. The initial attack vector was through PowerSchool’s customer support portal, PowerSource27. Hackers accessed the PowerSchool Student Information System (SIS), a central database filled with student and staff records of all descriptions. Information accessed included names, birth dates, phone numbers, and addresses from accounts. Other information that might have been accessed includes student ID numbers, grades, gender, medical information, emergency contacts, and disciplinary notes. On the bright side, PowerSchool believes most of the victims did not have social security numbers or medical information taken, and there is no evidence of credit card or banking information being compromised. The data that was taken however could be further weaponized with social engineering, the puzzle pieces being sorted by Artificial Intelligence. That rarified information is the chef’s kiss used to craft specific phishing emails which have proven highly effective at tricking targets to yield access to other networks, and their own health and banking information.
What's at stake when schools fall victim to cyberattacks?
Ransomware: Files can be seized, corrupted, and held for ransom until payment is made for the decryption key. In the PowerSchool hack, data was deleted. The hackers made a video to show the educators how and where many gigabytes were removed, before ransoming them for their return.
Exfiltration: Stolen information can be posted publicly or sold. In this case, the information dates to 1995, meaning the personal details of adults are now vulnerable for exploitation, including identity theft and fraudulent applications.
This isn’t just about protecting personal information; it’s about protecting people’s lives. Educators need to adopt the same vigilance as health care workers with regards to safeguarding critical data. A comprehensive IT security service in 2025 includes proactive, reactive, and compliance-driven security measures to protect an organization’s digital assets. It includes 24/7 monitoring, AI-driven threat intelligence, automation, and human expertise to mitigate evolving cyber threats.
A Path Forward: Proactive Security Measures
Kearns Technology Inc. (KTI) is not just a cybersecurity company. We are designers and engineers who install physical IT infrastructure, and we offer a complete IT security service with on-site training, webinars, and staff certifications. Here are key areas that Ontario school boards, and to some extent all businesses should address:
Regular Security Audits: Conduct thorough assessments of all third-party vendors, focusing on their security protocols and practices. Please download KTI’s Cybersecurity Checklist
Employee Training: Implement mandatory cybersecurity training for all staff, including how to recognize phishing and social engineering attacks. Establish clear internal escalation paths for reporting suspicious activity.
Cyber Insurance: Ensure your organization is compliant with cyber insurance policies, including regular cybersecurity lessons and ethical hacking exercises to test employee responses and security systems.
Advanced Security Solutions: Explore implementing solutions like Managed Detection and Response (MDR), Next-Gen Firewalls, Endpoint Detection and Response (EDR), and Zero Trust Architecture (ZTA).
Backup Sensitive Data and Restrict All Access to this Contingency:
Choosing a short-period backup-interval can limit data loss to just a few hours if the attack happens during the workday, and no loss whatsoever if the hack happens after hours. No end user should have the right to access backup storage. Access should be limited to one or two trusted administrators only.
Develop a Disaster Recovery Plan – DRP:
A Disaster Recovery Plan (DRP) is a process document which outlines how a business should respond to anything that could negatively impact systems and regular operations. Weather events, human error, hardware failure, and cybercrimes like ransomware are all instances where a company needs to fall back to its DRP to restore systems. Having a plan enables more rapid responses and gives managers and system administrators a preordained path to redemption.
The PowerSchool breach wasn’t reported until late January 2025, despite occurring in December 2024. This delay highlights the need for faster detection and reporting. In the unfortunate case of a breach, system administrators must inform stakeholders promptly so they can be extra vigilant and protect themselves against secondary attacks, socially engineered phishing attempts, and identity theft.
The cybersecurity landscape is constantly evolving. Ontario school boards must proactively adapt and invest in comprehensive security measures. It’s time to move beyond simply trusting vendors to take responsibility for verifying their own security. The future of our students’ and teachers’ data depends on everyone’s trusting but verifying each other’s security claims.
