More than 35,000 past and current students and staff at Northwest Territories schools are affected by the PowerSchool data breach, the GNWT said on Tuesday.
The breach, uncovered at the end of December and publicized last month, involved someone using login credentials for PowerSchool – a type of software – to steal information related to schools across various countries.
PowerSchool has operations in more than 90 countries and says it serves more than 60 million students. The NWT is among many North American jurisdictions caught up in the breach.
The GNWT had earlier said data accessed by the attacker included information about students and staff at the Beaufort Delta Division Education Council, Dehcho Divisional Education Council, South Slave Divisional Education Council, Yellowknife Catholic Schools, and Yellowknife Education District No 1.
However, the question remained of how far back the breach went.
Advertisement.
Advertisement.
On Tuesday, the GNWT said the territory had used it in some places since 2012.
According to the territory, 32,734 current and former students alongside 2,348 current and former staff had their data exposed. PowerSchool is notifying all of them directly, the GNWT said.
The breach is now understood to involve the Dettah District Education Authority and Ndilǫ District Education Authority alongside the others listed last month.
PowerSchool has said it will offer two years of free identity protection and credit monitoring services to all affected students and educators.
Advertisement.
Advertisement.
“The GNWT is working closely with education bodies across the territory to ensure affected individuals receive timely updates and support,” the territory stated on Tuesday, pointing people to a dedicated webpage.
The GNWT has said data stolen includes names, mailing addresses, phone numbers and email addresses for students, parent, guardians and teachers, as well as student medical information.
PowerSchool is reported to have paid the attacker to delete the data, though it’s not clear if the company has any way to know with certainty if that deletion took place.
