PowerSchool Cybersecurity Incident
Last updated: February 3, 2025
On January 7, 2025, Greater St. Albert Catholic Schools was notified of a cybersecurity incident involving PowerSchool, our platform for managing student information. This data breach affected organizations internationally, including GSACRD. Since then, our Division has been working to understand the scope of the incident and its potential impact on our families and staff.
PowerSchool has published a website to help answer questions and share the steps it takes to address the incident.
PowerSchool has assured us that the threat actor deleted the accessed data and that it was not shared or replicated. They have also implemented enhanced security measures to help prevent future incidents. PowerSchool is working with cybersecurity experts, including CrowdStrike. GSACRD is monitoring the situation.
We understand you may have questions, and we’ve created an FAQ section below to provide more information. This resource includes information about what happened, the actions taken, and what this may mean for your family. GSACRD is monitoring the situation. The FAQ will be updated should more information become available.
Feb. 3 update: NEW: Please see PowerSchool's most recent letter below regarding identity protection and credit monitoring services.
Letter from PowerSchool - February 3, 2025
|
Letter from PowerSchool - January 27, 2025
This is the letter we received on January 27, 2025 from PowerSchool outlining the situation.
Letter from PowerSchool - January 22, 2025
This is the letter we received on January 22, 2025 from PowerSchool outlining the situation.
Dear PowerSchool SIS Customer,
Thank you for your continued patience and partnership as we address the recent cybersecurity incident. Over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community.
As a PowerSchool SIS customer in Canada whose information was involved, I am writing to provide you with updates on several important next steps:
Identity Protection and Credit Monitoring Services: PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. The offered credit monitoring services in Canada, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and educators, will be provided by Experian for both the United States and Canada. This offer is being provided regardless of whether an individual’s Social Insurance Number was exfiltrated.
- Identity Protection: PowerSchool will be offering two years of complimentary identity protection services, which will be provided by Experian, for all students and educators whose information was involved.
- Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services, which will be provided by TransUnion, for all students and educators who have reached the age of majority whose information was involved. This service is being provided by TransUnion because Experian does not offer credit monitoring in Canada.
Notifications: Starting in the next few weeks, PowerSchool will be handling notifications to involved individuals and the necessary privacy regulators on your behalf. We hope to relieve the burden of these notifications on you and your institution.
- Community: PowerSchool will coordinate with TransUnion and Experian, to provide notice on your behalf to students, parents / guardians and educators, as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).
I sincerely value the trust you have placed in PowerSchool. We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving you and our shared community.
We appreciate all that you are doing to support families and educators through this process.
Sincerely,
Hardeep Gulati
Chief Executive Officer, PowerSchool
Letter from PowerSchool - January 7
This is the letter we received on January 7, 2025, from PowerSchool outlining the situation.
Dear Valued Customer,
As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.
Please review the following information and be sure to share this with relevant security individuals at your organization.
As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.
We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.
Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.
Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.
We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.
PowerSchool is committed to working diligently with customers to communicate with your educators, families, and other stakeholders. We are equipped to conduct a thorough notification process to all impacted individuals. Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process.
We have taken all appropriate steps to further prevent the exposure of information affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.
In the coming days, we will provide you with a communications package to support you in engaging with families, teachers and other stakeholders about this incident. The communications package will include tailored outreach emails, talking points, and a robust FAQ so that district and school leadership can confidently discuss this incident with your community.
We understand that you may have additional questions as a result of this update. FAQs are available on PowerSchool Community. Additionally, we will be holding webinars with senior leaders, including our Chief Information Security Officer, to address additional concerns. Please click the link below to register for a webinar that fits your schedule. Note that content for all sessions will be identical, so you need only attend one.
Wednesday, January 8: REGISTER HERE
Thursday, January 9: REGISTER HERE
In the meantime, please reach out to your Customer Success Manager (CSM), Support, or other established PowerSchool contact should you have any questions. We will be sending communications later today to other stakeholders in your organization who are responsible for other PowerSchool products notifying them of no impact to the other PowerSchool products.
We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together.
Thank you for your continued support and partnership.
Sincerely,
Hardeep Gulati
Chief Executive Officer
Paul Brook
Chief Customer Officer
cc: Mishka McCowan
Chief Information Security Officer
Frequently Asked Questions (FAQ)
Will credit monitoring be offered?
PowerSchool says it has engaged TransUnion and Experian, trusted credit reporting agencies, to offer complimentary identity protection and credit monitoring services to all students and educators whose information was involved in the data breach. The offered credit monitoring services in Canada, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and educators, will be provided by Experian for both the United States and Canada.
- Identity Protection: PowerSchool will be offering two years of complimentary identity protection services, which will be provided by Experian, for all students and educators whose information was involved.
- Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services, which will be provided by TransUnion, for all students and educators who have reached the age of majority whose information was involved. This service is being provided by TransUnion because Experian does not offer credit monitoring in Canada.
More information will be shared in the coming weeks.
Who is affected?
All current and former GSACRD students from 2012 and onward.
All current and former GSACRD staff with access to PowerSchool since 2012. This also includes staff who were part of the PowerSchool pilot in 2008.
What student data was accessed?
Our investigation has determined that the data accessed included:
- Student demographic information such as first name, last name, date of birth, student phone numbers, and mailing addresses.
- Alberta Student Numbers (ASN)
- Guardian Alerts
- Basic student medical information, including details such as asthma, allergies, diabetes, or other medical conditions that were shared with the school.
**Social Insurance numbers and Alberta Health Card numbers were not included in the breach as we do not collect or store that information.
What staff data was accessed?
The breach also accessed limited staff work-related data, including names, email addresses, and internal identification numbers.
Was financial information accessed?
No. Financial information was not accessed, as it is not stored in PowerSchool.
PowerSchool manages student information, but when parents or guardians make a payment, they are redirected to Rycor (Student Quick Pay) via a secure link. PowerSchool cannot access Rycor’s data, nor does Rycor share data back with PowerSchool. This recent cybersecurity breach was limited to PowerSchool systems only.
Were photos accessed?
No. Student and staff photos were not accessed in this incident.
I uploaded personal documents during the registration process. Have those been compromised?
No. Personal documents, such as birth certificates or baptism certificates uploaded during the registration process, are stored on a separate platform. They are not stored in PowerSchool. These documents were not affected by the PowerSchool cybersecurity breach.
Can I still use my PowerSchool Account?
Yes, you can continue to use your PowerSchool account as usual. The PowerSchool cybersecurity incident has not disrupted daily school operations or classroom instruction. PowerSchool has assured us that the incident has been contained and that additional security measures have been implemented to prevent future breaches.
What can the data taken be used for?
The accessed data could potentially be used for identity theft, where personal details are misused to impersonate someone or commit fraud. It could also be used for phishing or social engineering, such as sending fake emails or messages designed to trick individuals into revealing sensitive information like passwords or financial details.
While no financial information, passwords, or personal documents were accessed in this incident, it is always important to monitor any digital accounts that you have to watch for activity that is not yours.
We advise being cautious with emails or messages that seem unfamiliar. Avoid clicking on unknown links and refrain from sharing personal details in response to unsolicited requests.
How did the data breach happen?
According to PowerSchool, the breach occurred after an unauthorized party used a compromised credential to gain access, affecting information from multiple school divisions worldwide, including Greater St. Albert Catholic Schools.
PowerSchool has assured us that the vulnerability has been identified and resolved. They have also implemented enhanced security measures to prevent similar incidents in the future.
What measures are in place to protect against future breaches?
This was a PowerSchool breach. PowerSchool says it has strengthened its password policies and controls, including increasing the length and complexity of the passwords required of all employees. PowerSchool is working with CrowdStrike, a leading cybersecurity company, monitoring the internet for any potential misuse of data. We are also closely monitoring the situation.
In response to this incident, GSACRD is implementing a mandatory student password reset for all GSACRD students' Google accounts as an extra precaution.
The Learning and Technology Services (LTS) team has already begun this process and has completed password resets for grades 7 and 8.
The password reset schedule is as follows:
- Monday, February 3, 2025 – Grade 9
- Tuesday, February 4, 2025 – Grade 10
- Wednesday, February 5, 2025 – Grades 11 and 12
If a student forgets their password, school administrators can reset it.
For new student registrations, each school group will receive a default password. New students will be required to change their password upon first login.
What should I watch out for to protect my information?
We recommend you always use the following practices to keep your accounts and information secure:
- Regularly check your email, online accounts, and social media accounts for any signs of unusual activity.
- Update all account passwords frequently, especially if any have been reused across different platforms.
- Use strong, unique passwords for every account, and consider using a password manager for enhanced security.
- Activate two-factor or Multi-Factor Authentication on any accounts where it’s available for extra protection.
Additionally, stay vigilant against phishing attempts. Be cautious of unfamiliar emails, calls, or messages that claim to be from legitimate organizations. Never click on suspicious links or share personal information without verifying the source. By always taking these precautions, you can help safeguard your accounts and reduce the risk of unauthorized access.