PowerSchool is a leading provider of education technology solutions designed to support students, teachers, and administrators. With 30 years of expertise in the industry, PowerSchool serves over 60 million students across school districts in 90 countries world-wide. One of its core offerings is its Student Information System (SIS), a comprehensive system for managing and storing student-related data. Despite the recent incident, it remains a reputable company with a strong track record in the education sector.
On December 28, 2024, PowerSchool, a third-party service provider used by Northeastern Catholic District School Board (NCDSB) became aware of a cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information. On January 7, 2025, PowerSchool notified us of the incident and that personal information of our students and staff may have been impacted.
Many public boards and private schools across North America who use PowerSchool SIS were affected by this incident. Our analysis has confirmed that the breach affected the following NCDSB groups: Current Students: All students currently enrolled in NCDSB schools. Former Students: Any student enrolled during or after the 2020-2021 school year. Current Staff: All permanent staff currently employed by the NCDSB. Former Staff: Any permanent staff employed by NCDSB during or after the 2020-2021 school year.
For all students who have been enrolled in the NCDSB since September 2020, the information affected includes name, date of birth, address, gender, OEN (Ontario Education Number), parent/guardian contact name(s) and phone number(s), and emergency contact name(s) and phone number(s). For some students, some custody and medical information, as well as a doctor’s name and contact information, may also have been affected. With respect to medical alert information, if you provided information to your child’s school about your child’s allergies, medical conditions or injuries, this information was included in the breach. Please note that medical information provided to members of NCDSB’s Student Support Services team or from outside agencies (e.g., Psychologists, Occupational Therapists, Physiotherapists, Audiologists, Speech-Language Pathologists, and Social Workers) was not impacted by this incident.
The incident did not result in the compromise of any of the following information: social insurance numbers, financial information, student academic grades, passwords or Individual Education Plans (IEPs).
Staff data in PowerSchool consists of present permanent employees as well as past permanent staff employed by the Board from September 2020 to December 2024. We have concluded our analysis and can confirm that very limited staff information was compromised as part of this incident. The information affected for these staff members includes their name and work location. For some of these staff members, less than 20%, home address and home phone number were also affected.
The incident did not result in the compromise of any of the following information: social insurance numbers, financial information, date of birth, passwords or credentials.
Yes, the NCDSB has notified and is working with the Information and Privacy Commissioner of Ontario in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC’s website at www.ipc.on.ca.
PowerSchool has posted an FAQ on their website to share information, which includes steps they have taken to address this incident and protect student, family and educator information moving forward. Visit: https://www.powerschool.com/security/sis-incident/.
No. Both PowerSchool and the NCDSB’s own internal investigation can confirm that there was no compromise of credit card or banking information as this information is not stored in the NCDSB’s Student Information System (SIS).
PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online. PowerSchool is confident that the breach has been contained, and the accessed data has been deleted without being shared publicly.
No. Only PowerSchool SIS was impacted by this incident.
Yes, for individuals as outlined below. Identity Theft Protection PowerSchool is offering two years of complimentary identity protection services, provided by Experian, to students and educators whose information was involved. Credit Monitoring For involved students and educators who have reached the age of majority, in addition to Experian’s identity protection services, PowerSchool is also offering two years of complimentary credit monitoring services provided by TransUnion. They are doing this even though no NCDSB student or staff Social Insurance Numbers (SIN) or financial information were impacted by this incident. More Information For more information and explicit instruction for each of these services, please visit PowerSchool’s Notice of Data Breach for Individuals in Canada webpage.
PowerSchool is offering two years of complimentary idenity protection services, provided by Experian, to students and staff whose informaion was involved. For involved students and staff who have reached the age of majority, in addition to Experian’s identity protection services, PowerSchool is also offering two years of complimentary credit monitoring services provided by TransUnion. To be clear, all students and staff, past and present, can sign up for Experian’s services. Only adults can sign up for TransUnion’s services. PowerSchool is not offering these services to parents, guardians or emergency contacts. Since the incident, PowerSchool has monitored for signs of information misuse. They have reported that they are not aware at this time of any identity theft atributable to this incident. That said, we encourage all to sign up for these complimentary services. PowerSchool has provided instructions for signing up for these services here, and we reproduce the instructions below, as well. Please note: PowerSchool’s online notice, linked above, suggests that Social Insurance Number (SIN) was affected for some Boards. For the NCDSB, no SIN’s were affected as this information is not stored in the PowerSchool SIS. IDENTITY PROTECTION Offer: Experian Identity Protection Services Available to all involved students and staff. Enrollment Instructions for Experian IdentityWorks 1. Ensure that you enroll by May 30, 2025 (Your code will not work after this date at 5:59 UTC) 2. Visit the Experian IdentityWorks website to enroll: https://www.globalidworks.com/identity1/ 3. Provide your activation code: MPRT987RFK 4. For questions about the product or help with enrollment, please email globalidworks@experian.com Details Regarding Your Experian IdentityWorks Membership A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks: • Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web. • Fraud Remediation Tips: Self-help Tips are available on your member center. CREDIT MONITORING Offer: TransUnion Credit Monitoring Services Available to involved students and staff who have reached the age of majority in their applicable province or territory. Enrollment Instructions for TransUnion myTrueIdentity 1. Please visit http://www.powerschool.com/security/canada-credit-monitoring/. There you will find a link to the validation website, https://CaCreditMonitoringValidationPage-PowerSchool.com/, where you will be prompted to validate your information by entering your first name, last name and year of birth. 2. If your identity is validated, a pop up will appear that provides an activation code and provides you a link to TransUnion’s myTrueIdentity site to enroll. Details Regarding your myTrueIdentity Membership Upon completion of the online enrollment process, you will have access to the following TransUnion myTrueIdentity features: • Unlimited online access to your TransUnion Canada credit report, updated daily. A credit report is a snapshot of your financial history and one of the primary tools leveraged for determining credit-related identity theft or fraud. • Unlimited online access to your Credit Vision® Risk credit score, updated daily. A credit score is a three-digit number calculated based on the information contained in your TransUnion Canada credit report at a particular point in time. • Credit monitoring, which provides you with email notifications to key changes on your TransUnion Canada credit report. In today’s virtual world, credit alerts are a powerful tool to help protect you against identity theft, enable quick action against potentially fraudulent activity and provide you with additional reassurance. • Access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention. • Access to Identity Restoration agents who are available to assist you with questions about identity theft. In the unlikely event that you become a victim of fraud; a personal restoration specialist will help to resolve any identity theft. This service includes up to $1,000,000 of expense reimbursement insurance. • Dark Web Monitoring, which monitors surface, social, deep, and dark websites for potentially exposed personal, identity and financial information and helps protect you against identity theft. PowerSchool has provided a call centre to address questions regarding these services. If you have any questions or concerns about this notice, please call 833-918-7884, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays). Please be prepared to provide engagement number B138905. Should you have any questions for NCDSB about this notice, please do not hesitate to contact us at PowerSchoolData@ncdsb.on.ca .
If you have additional questions, please contact us at PowerSchoolData@ncdsb.on.ca. Please understand that those who contact the NCDSB regarding this incident must verify their identity before we can release information about the specific impact related to their information.
