PowerSchool Cyber Incident

On Tuesday, January 7, 2025, PowerSchool notified us about a data breach that occurred between December 22 and 28, 2024. PowerSchool quickly secured the affected data and began an investigation. Our IT department, with PowerSchool's support, is also addressing the situation employing our cyber-security protocols.

This webpage will serve as the key information source for TNCDSB staff, students, and the community members we serve. It will be updated on a regular basis with new information as it is released. The site will include Communication and Notification letters from TNCDSB, Frequently Asked Questions (FAQs), and any other emerging relevant details regarding this matter.

If you have any questions please submit the following form PowerSchool Cyber Incident Inquiry.

Communication and Notification Letters

May 8, 2025 - Update Regarding PowerSchool Data Security

February 7, 2025 - Credit and Identity Protection Notification

February 4, 2025 - Notification Update to Families and Staff

January 14, 2025 - Follow-up Communication to Caregivers

January 9, 2025 - Notification to Families

January 9, 2025 - Notification to Staff

Frequently Asked Questions (FAQs)

What Happened?

On December 28, 2024, PowerSchool, a third-party service provider used by The Northwest Catholic District School Board (the Board), became aware of a cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information.

On January 7, 2025, PowerSchool notified the Board of the incident and that personal information of our students and educators may have been impacted.

What is PowerSchool?

Were other PowerSchool products impacted?

Where was the breached information stored?

How is the Board responding?

The Board's Information Technology Department promptly activated internal cyber incident response protocols. This cyber incident did not take place within the Board's environment; however, we are continuing to work through our investigative process and will be using this incident as an opportunity to further review and enhance our security and response protocols to ensure our systems and practices evolve to address the ever-changing digital landscape in Education.

What type of student information was affected?

The following information has been confirmed regarding the types of personal information stored in the SIS for the Board's students that was accessed and acquired during the cyber incident.

Students since the beginning of the 2015-2016 school year to December 2024:

For ALL or a majority of students

First, Middle (where applicable) and Last Name
Ontario Education Number (OEN)
Student Identification Number
Home Address
Phone Number
Date of Birth

For some students

Parent/Guardian Contact Information (Name, phone number, email address)
Medical Information

For a small number of students

Parent/Guardian custodial status

What type of staff information was affected?

The following has been confirmed regarding the types of personal information stored in the SIS for the Board staff that were accessed and acquired during the cyber incident.

For all Educators, Administrative Staff, and some Student Support Professionals with PowerSchool SIS accounts who have worked for the Board between March 2022 and December 2024, the information affected includes the following:

First, Middle (where applicable) and Last Name
Employee Number
TNCDSB Email Address

Please note that staff without a PowerSchool SIS account were not impacted (eg. Custodians).

In addition to the above, a majority of staff records also contain:

Home address
Home phone number

Was financial or any other school-based information affected?

Was medical information affected?

If you provided information to your child's school about your child's allergies, medical conditions or injuries when completing the start of year forms, this information may have been included in the data that was accessed or acquired. Please note that medical information provided to members of the Board's mental health/behaviour support teams (e.g. Psychologist, Occupational Therapist, Physiotherapist, Audiologist, Speech-Language Therapist, Social Workers, etc.) was not impacted by this incident.

Why does the Board keep the records of former students?

Did the Board notify the Office of the Information and Privacy Commissioner?

Will credit monitoring/identity theft protection be provided for affected individuals?

PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. They are doing this even though no Board student or educator Social Insurance Numbers were impacted by this incident.

PowerSchool has provided the Board with additional information on how to sign up for these services. Please see the Identity Theft and Credit Monitoring Offer.

Is there any indication that compromised information has been released?

Can I opt-out of PowerSchool?

Is the Board changing vendors?

Who can I contact if I have further questions about this incident?

Where can I learn more about the incident?

The Northwest Catholic District School Board has reported this incident to the Office of the Information and Privacy Commissioner of Ontario (IPC), and the IPC has opened an investigation file. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC’s website at www.ipc.on.ca.