PowerSchool Issues

• January 9, 2025: Letter to parents and guardians re: PowerSchool Cyber Incident ›
• January 9, 2025: Letter to OCSB staff re: PowerSchool Cyber Incident ›
• January 21, 2025: Letter to parents and guardians re: Update on PowerSchool Cyber Incident
• January 21, 2025: Letter to OCSB staff re: Update on PowerSchool Cyber Incident ›
• February 11, 2025: Letter to parents and guardians re: PowerSchool Offer ›
• February 11, 2025: Letter to OCSB staff re: PowerSchool Offer ›

PowerSchool is a leading provider of education technology solutions designed to support students, teachers, and administrators. With 30 years of expertise in the industry, PowerSchool serves over 60 million students across school districts in 90 countries world-wide.  One of its core offerings is its Student Information System (SIS), a comprehensive system for managing and storing student-related data. Despite the recent incident, it remains a reputable company with a strong track record in the education sector.

PowerSchool identified that unauthorized access occurred between December 19 and December 23, 2024. The incident involved limited student and staff data. PowerSchool is confident that the breach has been contained, and the accessed data has been deleted without being shared publicly.

PowerSchool has implemented enhanced security measures to prevent future incidents, including stricter access controls and additional monitoring of its systems. These measures include:

• Changing the passwords for all their staff who access the platform
• Increasing the password strength requirements of PowerSchool staff passwords
• Contacting law enforcement
• Bringing in two security companies to assist with responding to the breach

Our OCSB cybersecurity team activated our response plan when PowerSchool notified us. We immediately began working with PowerSchool to assess the situation and ensure our systems remain secure. OCSB continues to monitor the situation closely and work with PowerSchool to ensure the safety and security of all data.

The OCSB has reported the breach to the Office of the Information and Privacy Commissioner of Ontario (IPC), an independent body that oversees privacy practices in Ontario. The IPC has opened an investigation into the matter.

Our analysis has confirmed that the breach affected the following groups:

• Current Students: All students currently enrolled in OCSB schools.
• Former Students: Any student enrolled during or after the 1998-1999 school year.
• Current Staff: All staff currently employed by the OCSB.
• Former Staff: Any staff employed during or after the 1998-1999 school year.

The incident involved the following types of student information:

For all affected students:

• Name (First, last, legal, and preferred)
• Date of birth
• Address
• Place of birth (country, province)
• Student email address
• Gender
• Grade level
• OCSB student number
• Ontario Education Number (OEN)

For some students:

• Assessment/notes from our Family Welcome Centre
• Previous school name and address (if manually entered)
• Life-threatening medical information
• Non-life-threatening medical information
• Family Alert Notes

For students registered before September 2023:

• Guardian names
• Guardian email addresses
• Emergency contact phone number

For students registered before September 2023, the following parent/guardian information was included in the breach:

• Guardian names
• Guardian email addresses
• Emergency contact phone number

The incident involved the following types of information about staff members:

• Name
• Employee number
• Ontario Ministry of Education Number (MEN) (if applicable)
• Board email address
• Gender

We want to emphasize that the following information was not included in the data breach:

• Credit card information
• OHIP information
• SIN numbers
• Student photos
• Student passwords
• Caregiver information (name, address)
• Grades
• Report cards
• Course information
• Course schedules
• Bussing information
• Homeroom assignment/teacher
• Immigration documents
• Permanent Resident number
• Psychological assessments
• IEP/IPRC info
• Suspensions/expulsions
• Disciplinary notes
• Indigenous identification
• Docs that are uploaded in the registration form
• Baptismal status

The following staff information was not included in the data breach:

• Staff email passwords
• Staff work locations
• Staff start and end dates
• Staff leaves
• Staff schedules

PowerSchool has said it will offer two years of complimentary identity protection services for all students and staff whose information was involved and two years of complimentary credit monitoring services for all adult students and staff whose information was involved. They are doing this despite the fact that no OCSB student or staff Social Insurance Numbers or credit card information were impacted by this incident.

You can find information on how to register for these services on this PowerSchool webpage: Notice of Data Breach For Individuals in Canada. The deadline to enrol is May 30, 2025.

If you have any questions or concerns, you may call PowerSchool’s toll-free number 1-833-918-7884, Monday through Friday, 8:00 am through 8:00 pm Central Time. Please be prepared to provide engagement number B138905.

You may also email the OCSB at learning.tech@ocsb. Please understand that those who contact the OCSB regarding this incident must verify their identity before we can release information about the specific impact related to their information.