PowerSchool Cybersecurity Incident

Division Operations

Update from PowerSchool February 3

PowerSchool has begun notifying those affected by the cybersecurity incident. They have asked us to share the following information with families:

"Today, February 3, 2025, PowerSchool initiated the process of notifying individuals whose information was determined to be involved.

As previously mentioned, PowerSchool has engaged Experian and TransUnion, trusted credit reporting agencies, to provide complimentary identity protection and credit monitoring services to current and former students and educators that had information exfiltrated from PowerSchool SIS. PowerSchool is doing this regardless of whether an individual’s Social Insurance Number was exfiltrated. In the coming weeks, Experian (on behalf of PowerSchool) will be distributing direct email notifications to involved students (or their parent/guardian) for whom PowerSchool has sufficient contact information.

The offered credit monitoring services in Canada will be available for those who have reached the age of majority and will be provided by TransUnion and referenced in the notifications from Experian. The offered identity protection services will be available for all involved students and educators and will be provided by Experian.

Additionally, PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with both Experian and TransUnion’s offerings and the incident. All the information regarding the activation of and access to these services will be included in the emails sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate these offerings.
Protecting students and teachers remains our top priority. Thank you again for all of your support and understanding during this time.

PowerSchool"

Update: January 23

We have received the following information from PowerSchool regarding next steps. We encourage division families, past and present, to access the credit monitoring services being offered, if you are notified that your information was accessed. 

"Over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community.

As a PowerSchool SIS customer in Canada whose information was involved, I am writing to provide you with updates on several important next steps:

Identity Protection and Credit Monitoring Services: PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. The offered credit monitoring services in Canada, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and educators, will be provided by Experian for both the United States and Canada. This offer is being provided regardless of whether an individual’s Social Insurance Number was exfiltrated.

  • Identity Protection: PowerSchool will be offering two years of complimentary identity protection services, which will be provided by Experian, for all students and educators whose information was involved.
  • Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services, which will be provided by TransUnion, for all students and educators who have reached the age of majority whose information was involved. This service is being provided by TransUnion because Experian does not offer credit monitoring in Canada.

Notifications: Starting in the next few weeks, PowerSchool will be handling notifications to involved individuals and the necessary privacy regulators on your behalf. We hope to relieve the burden of these notifications on you and your institution.  

  • Community: PowerSchool will coordinate with TransUnion and Experian, to provide notice on your behalf to students, parents / guardians and educators, as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).  

We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving you and our shared community.

Sincerely,

Hardeep Gulati

Chief Executive Officer, PowerSchool"

Last updated: Thursday, Jan. 9, 5:00 pm

St. Albert Public Schools has been impacted by a North America-wide cybersecurity breach targeting PowerSource, a support portal of PowerSchool. PowerSchool is the platform we use to manage student data. This incident affected many school divisions across Alberta and the continent. As a customer of PowerSchool, our division's student and staff information, as well as stored data from past students and staff dating back to 2012, was among the data compromised.

This web page is our main source of information about the cybersecurity incident. It will be updated regularly as new information becomes available.

If you have further questions, please email us at ask-us@spschools.org. This will allow us to prioritize responses efficiently while keeping our phone lines open for regular division operations.

What student information was compromised?

Not all information within PowerSchool was compromised: the attack is isolated to one section (that PowerSchool refers to as a “table”) within PowerSchool that includes demographic information.

The following information was exported from individual student accounts dating back to 2012:

  • First name
  • Last name
  • Date of birth
  • Student phone numbers
  • Home/mailing address

Please keep in mind that the information that was compromised will vary from division to division, depending on how they use the fields that are stored in that “table” within PowerSchool.

We are making attempts to connect with past students affected by the data breach.

What student information was not compromised?

  • Financial data (credit card or banking information)
  • Student profile photos
  • Computer user passwords
  • Social insurance number (we do not collect the SIN for students)
  • Birth certificates

What staff information was compromised?

Not all information within PowerSchool was compromised: the attack is isolated to one section (that PowerSchool refers to as a “table”) within PowerSchool that includes demographic information.

The following information was exported from individual staff accounts dating back to 2012:

  • First name
  • Last name
  • @spschools.org email addresses
  • Phone numbers for approximately 173 staff (who will be contacted individually by Information Services)

Please keep in mind that the information that was compromised will vary from division to division, depending on how they use the fields that are stored in that “table” within PowerSchool.

We are making attempts to connect with past staff affected by the data breach.

What staff information was not compromised?

  • Human Resources information (home address, SIN, etc.)
  • Financial data (credit card or banking information)
  • Login passwords

What steps have been taken to confirm that the data in question has since been deleted in its entirety?

As soon as PowerSchool learned of the incident, they enlisted the assistance of a third-party professional cybersecurity advisor and negotiator. With their guidance, PowerSchool has received reasonable assurances from the threat actor that the compromised data has been deleted and that no additional copies exist. Given the sensitive nature of their investigation, PowerSchool is unable to provide us with any more specific information at this time.

Although this breach is at the PowerSchool level, St. Albert Public Schools continues to do additional monitoring of any potential exposure of private data through various channels and resources.

Does this data breach increase the risk of identity theft?

PowerSchool does not anticipate the data will be shared or made public, and they believe it has been deleted without any further replication or dissemination. PowerSchool has taken measures to contain the incident and has no evidence of malware or continued unauthorized activity in the PowerSchool environment. They have also taken steps to further strengthen their system and continue to invest significant resources into their cybersecurity defences.

Because the breach happened at the PowerSchool level, our division has no control over what happens with the compromised data and has to rely on the negotiations PowerSchool has with the threat actor.

Our division continues to do additional monitoring of any potential exposure of private data through various channels and resources.

The email you sent suggests our division was not targeted but it also says personal info was exported. This is confusing when looking at individual students. Can you clarify?

When we say that our division was not targeted individually, we mean that we are not the only division impacted by the cybersecurity incident. Our student and staff data going back to 2012 was compromised, along with data from many school divisions across North America.

How confident are you that the incident has been contained?

This was a PowerSource breach. PowerSchool assures us that the incident is contained, and they have no evidence of malware or continued unauthorized activity in the PowerSchool environment. They have also taken steps to further strengthen their system and continue to invest significant resources into their cybersecurity defences.

St. Albert Public Schools has multi-factor authentication enabled for all internal division employees who access student information through PowerSchool. We have also purchased a subscription that monitors the dark web.

What steps are you taking to prevent this from happening again?

This was a PowerSource breach.  PowerSchool has further strengthened PowerSource password policies and controls including increasing password length and complexity requirements of all individuals within their company.

St. Albert Public Schools has multi-factor authentication enabled for all internal division employees who access student information through PowerSchool. We have also purchased a subscription that monitors the dark web.

When did the data breach take place?

The data was exported from PowerSchool on December 22, 2024. PowerSchool was made aware of the breach on December 28, 2024. PowerSchool notified St. Albert Public Schools on January 7, 2025. Our internal Information Services team began investigating the incident upon notification and confirmed that unauthorized access to information had occurred.

Will St. Albert Public Schools or PowerSchool provide credit/identity monitoring?

Our division is working with PowerSchool regarding this and we will share information as it becomes available to us.

Are birth certificates on file?

Birth certificates were not part of the data involved in this incident and have not been accessed.

What best practices can families do to protect themselves from identity theft?

  • Review email and social media accounts for unusual activity.
  • Regularly update passwords for all accounts, especially if the same password has been used elsewhere.
  • Use strong, unique passwords for each account, and consider a password manager for added security.
  • Wherever possible, add an extra layer of security by enabling 2-factor authentication.
  • Watch for phishing attempts. Look for suspicious emails, calls, or messages pretending to be from legitimate organizations. Do not click on unfamiliar links or share personal information.