PowerSchool Cybersecurity Incident

Division Operations

Last updated: Thursday, Jan. 9, 5:00 pm

St. Albert Public Schools has been impacted by a North America-wide cybersecurity breach targeting PowerSource, a support portal of PowerSchool. PowerSchool is the platform we use to manage student data. This incident affected many school divisions across Alberta and the continent. As a customer of PowerSchool, our division's student and staff information, as well as stored data from past students and staff dating back to 2012, was among the data compromised.

This web page is our main source of information about the cybersecurity incident. It will be updated regularly as new information becomes available.

If you have further questions, please email us at ask-us@spschools.org. This will allow us to prioritize responses efficiently while keeping our phone lines open for regular division operations.

What student information was compromised?

Not all information within PowerSchool was compromised: the attack is isolated to one section (that PowerSchool refers to as a “table”) within PowerSchool that includes demographic information.

The following information was exported from individual student accounts dating back to 2012:

  • First name
  • Last name
  • Date of birth
  • Student phone numbers
  • Home/mailing address

Please keep in mind that the information that was compromised will vary from division to division, depending on how they use the fields that are stored in that “table” within PowerSchool.

We are making attempts to connect with past students affected by the data breach.

What student information was not compromised?

  • Financial data (credit card or banking information)
  • Student profile photos
  • Computer user passwords
  • Social insurance number (we do not collect the SIN for students)
  • Birth certificates

What staff information was compromised?

Not all information within PowerSchool was compromised: the attack is isolated to one section (that PowerSchool refers to as a “table”) within PowerSchool that includes demographic information.

The following information was exported from individual staff accounts dating back to 2012:

  • First name
  • Last name
  • @spschools.org email addresses
  • Phone numbers for approximately 173 staff (who will be contacted individually by Information Services)

Please keep in mind that the information that was compromised will vary from division to division, depending on how they use the fields that are stored in that “table” within PowerSchool.

We are making attempts to connect with past staff affected by the data breach.

What staff information was not compromised?

  • Human Resources information (home address, SIN, etc.)
  • Financial data (credit card or banking information)
  • Login passwords

What steps have been taken to confirm that the data in question has since been deleted in its entirety?

As soon as PowerSchool learned of the incident, they enlisted the assistance of a third-party professional cybersecurity advisor and negotiator. With their guidance, PowerSchool has received reasonable assurances from the threat actor that the compromised data has been deleted and that no additional copies exist. Given the sensitive nature of their investigation, PowerSchool is unable to provide us with any more specific information at this time.

Although this breach is at the PowerSchool level, St. Albert Public Schools continues to do additional monitoring of any potential exposure of private data through various channels and resources.

Does this data breach increase the risk of identity theft?

PowerSchool does not anticipate the data will be shared or made public, and they believe it has been deleted without any further replication or dissemination. PowerSchool has taken measures to contain the incident and has no evidence of malware or continued unauthorized activity in the PowerSchool environment. They have also taken steps to further strengthen their system and continue to invest significant resources into their cybersecurity defences.

Because the breach happened at the PowerSchool level, our division has no control over what happens with the compromised data and has to rely on the negotiations PowerSchool has with the threat actor.

Our division continues to do additional monitoring of any potential exposure of private data through various channels and resources.

The email you sent suggests our division was not targeted but it also says personal info was exported. This is confusing when looking at individual students. Can you clarify?

When we say that our division was not targeted individually, we mean that we are not the only division impacted by the cybersecurity incident. Our student and staff data going back to 2012 was compromised, along with data from many school divisions across North America.

How confident are you that the incident has been contained?

This was a PowerSource breach. PowerSchool assures us that the incident is contained, and they have no evidence of malware or continued unauthorized activity in the PowerSchool environment. They have also taken steps to further strengthen their system and continue to invest significant resources into their cybersecurity defences.

St. Albert Public Schools has multi-factor authentication enabled for all internal division employees who access student information through PowerSchool. We have also purchased a subscription that monitors the dark web.

What steps are you taking to prevent this from happening again?

This was a PowerSource breach.  PowerSchool has further strengthened PowerSource password policies and controls including increasing password length and complexity requirements of all individuals within their company.

St. Albert Public Schools has multi-factor authentication enabled for all internal division employees who access student information through PowerSchool. We have also purchased a subscription that monitors the dark web.

When did the data breach take place?

The data was exported from PowerSchool on December 22, 2024. PowerSchool was made aware of the breach on December 28, 2024. PowerSchool notified St. Albert Public Schools on January 7, 2025. Our internal Information Services team began investigating the incident upon notification and confirmed that unauthorized access to information had occurred.

Will St. Albert Public Schools or PowerSchool provide credit/identity monitoring?

Our division is working with PowerSchool regarding this and we will share information as it becomes available to us.

Are birth certificates on file?

Birth certificates were not part of the data involved in this incident and have not been accessed.

What best practices can families do to protect themselves from identity theft?

  • Review email and social media accounts for unusual activity.
  • Regularly update passwords for all accounts, especially if the same password has been used elsewhere.
  • Use strong, unique passwords for each account, and consider a password manager for added security.
  • Wherever possible, add an extra layer of security by enabling 2-factor authentication.
  • Watch for phishing attempts. Look for suspicious emails, calls, or messages pretending to be from legitimate organizations. Do not click on unfamiliar links or share personal information.