PowerSchool Cyber Incident
On Tuesday, January 7, 2025, PowerSchool notified us about a data breach that occurred between December 22 and 28, 2024. PowerSchool quickly secured the affected data and began an investigation. Our IT department, with PowerSchool's support, is also addressing the situation employing our cyber-security protocols.
This webpage will serve as the key information source for TNCDSB staff, students, and the community members we serve. It will be updated on a regular basis with new information as it is released. The site will include Communication and Notification letters from TNCDSB, Frequently Asked Questions (FAQs), and any other emerging relevant details regarding this matter.
If you have any questions please submit the following form PowerSchool Cyber Incident Inquiry.
Communication and Notification Letters
Frequently Asked Questions (FAQs)
What Happened?
On December 28, 2024, PowerSchool, a third-party service provider used by The Northwest Catholic District School Board (the Board), became aware of a cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information.
On January 7, 2025, PowerSchool notified the Board of the incident and that personal information of our students and educators may have been impacted.
What is PowerSchool?
PowerSchool is the SIS used by the Board. The Board and many school boards across North America use the PowerSchool SIS to store a range of student information and a limited amount of school-based staff information. The data stored in the SIS varies from one school board to another.
Were other PowerSchool products impacted?
No. Only PowerSchool SIS was impacted by this incident. Other PowerSchool products used within the Board, such as SchoolMessenger and SmartFind Express were not impacted.
Where was the breached information stored?
The information that was accessed was hosted in PowerSchool's SIS cloud and was not directly accessed through any of the Board's systems.
How is the Board responding?
The Board's Information Technology Department promptly activated internal cyber incident response protocols. This cyber incident did not take place within the Board's environment; however, we are continuing to work through our investigative process and will be using this incident as an opportunity to further review and enhance our security and response protocols to ensure our systems and practices evolve to address the ever-changing digital landscape in Education.
What type of student information was affected?
The following information has been confirmed regarding the types of personal information stored in the SIS for the Board's students that was accessed and acquired during the cyber incident.
Students since the beginning of the 2015-2016 school year to December 2024:
For ALL or a majority of students
- First, Middle (where applicable) and Last Name
- Ontario Education Number (OEN)
- Student Identification Number
- Home Address
- Phone Number
- Date of Birth
For some students
- Parent/Guardian Contact Information (Name, phone number, email address)
- Medical Information
For a small number of students
- Parent/Guardian custodial status
What type of staff information was affected?
The following has been confirmed regarding the types of personal information stored in the SIS for the Board staff that were accessed and acquired during the cyber incident.
For all Educators, Administrative Staff, and some Student Support Professionals with PowerSchool SIS accounts who have worked for the Board between March 2022 and December 2024, the information affected includes the following:
- First, Middle (where applicable) and Last Name
- Employee Number
- TNCDSB Email Address
Please note that staff without a PowerSchool SIS account were not impacted (eg. Custodians).
In addition to the above, a majority of staff records also contain:
- Home address
- Home phone number
Was financial or any other school-based information affected?
No. The following information was not affected by this cyber incident:
- Social Insurance Number
- Financial or Credit Card Information
- Individual Education Plans (IEP)
- Attendance Records
- Achievement Information, Report Card Marks or Comments
- Student Photos
Was medical information affected?
If you provided information to your child's school about your child's allergies, medical conditions or injuries when completing the start of year forms, this information may have been included in the data that was accessed or acquired. Please note that medical information provided to members of the Board's mental health/behaviour support teams (e.g. Psychologist, Occupational Therapist, Physiotherapist, Audiologist, Speech-Language Therapist, Social Workers, etc.) was not impacted by this incident.
Why does the Board keep the records of former students?
We keep information about former students in accordance with provincial requirements under the Education Act and to respond to former student information requests. We are taking this opportunity to assess our records retention practices to ensure that we are only keeping what is necessary to conduct the Board's business.
Did the Board notify the Office of the Information and Privacy Commissioner?
Yes, the Board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC's website at www.ipc.on.ca
Will credit monitoring/identity theft protection be provided for affected individuals?
PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. They are doing this even though no Board student or educator Social Insurance Numbers were impacted by this incident.
PowerSchool has provided the Board with additional information on how to sign up for these services. Please see the Identity Theft and Credit Monitoring Offer.
Is there any indication that compromised information has been released?
PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online.
Can I opt-out of PowerSchool?
Not at this time. The Board is using this incident to review the information practices of all of its vendors.
Is the Board changing vendors?
Not at this time.
Who can I contact if I have further questions about this incident?
If you have additional questions with regards to the PowerSchool Cyber Incident, please submit the attached form PowerSchool Cyber Incident Inquiry.
Where can I learn more about the incident?
PowerSchool has posted an FAQ on their website to share information, which includes steps they have taken to address this incident and protect student, family and educator information moving forward. You can also visit the PowerSchool Frequently Asked Questions page for more information.
The Northwest Catholic District School Board has reported this incident to the Office of the Information and Privacy Commissioner of Ontario (IPC), and the IPC has opened an investigation file. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC’s website at www.ipc.on.ca.