Frequently Asked Questions About the Extortion Threat
As new information is received about the extortion threat communicated to staff and families on May 7, 2025, the FAQ below will continue to be updated. Additional FAQ about the data breach is also available in the next section below.
Has a new incident occurred?
We have recently been informed by PowerSchool that a threat actor is attempting to extort school boards using the data breached in December 2024. PowerSchool is continuing their investigation into this development. At this time, PowerSchool believes it is related to Dec. 2024 incident that was previously disclosed to CBE parents, students and staff.
Has any new information been impacted?
At this time PowerSchool has indicated that no new data has been impacted.
Are CBE’s systems secure?
CBE administration has taken a number of steps to assess and contain this threat. This includes implementing enhanced cybersecurity measures to mitigate against potential cyberattacks. CBE has retained external experts in cybersecurity and an incident response team has also been established.
Is PowerSchool safe to use?
PowerSchool is CBE’s system for student information. CBE has been using PowerSchool for a number of years following a rigorous procurement process. PowerSchool’s system was chosen because it meets the provincial compliance standard known as PASI (Provincial Approach to Student Information).
PowerSchool has assured CBE that its system is secure and they continue to actively monitor their systems.
CBE administration has also taken a number of steps to assess and contain this threat. This includes implementing enhanced cybersecurity measures to mitigate against potential cyberattacks. CBE has retained external experts in cybersecurity and an incident response team has also been established.
Why did PowerSchool pay a ransom?
We have been advised by Power School that it paid a ransom earlier this year with the aim of hopefully securing deletion of the impacted data by the third party that conducted the attack. As with any such incident however, there was a risk that the threat actors would not honour their commitment to delete the stolen data, despite assurances provided to PowerSchool, which unfortunately occurred in this case.
CBE did not pay a ransom nor did it contribute to any ransom payment made by PowerSchool.
How can I protect myself?
As previously communicated to all students and staff, PowerSchool is offering credit monitoring and identity protection for those directly impacted by the Dec. 2024 breach. Staff and students who have reached the age of majority can apply for credit monitoring services. Any students and staff whose information was involved can apply for two years of complimentary identity protection.
We strongly encourage you to sign up for such complimentary services if you have not already done so. Please visit the PowerSchool Data Breach page for how to apply.
Frequently Asked Questions About the Data Breach
As new information is received, the FAQ below will continue to be updated.
Who was impacted?Added Feb. 5, 2025
Records of both current and former students and staff have been accessed.
Students: The breach affects students who have been part of the CBE system at any time since September 2018, when CBE began using PowerSchool as its student information system. Additionally, historical student data from prior years was transferred into PowerSchool upon its launch, meaning that students who were part of the CBE system before September 2018 may also be impacted.
We are actively working to identify the student data imported into PowerSchool from CBE’s prior student information system.
Staff: The breach affects current and former staff who have been part of the CBE system at any time since September 2018, when PowerSchool was implemented. This includes teachers, substitute teachers, administrative personnel, contractors and other employees whose information was entered into PowerSchool.
What data was accessed?Revised Feb. 5, 2025
Student personal information, including:
- First, middle and last names
- Home address
- Phone numbers
- Date of birth
- Gender
- Grades
-
Alberta student ID number
- CBE issued ID number
- School names or school codes
- In some cases, medical information such as allergies, medications, medical conditions, Alberta Health Care number, doctor contact information, data entered into “open text” fields on PowerSchool and/or supports, and information from the Guardian Alert field, used to communicate guardian information to teachers and other school staff in emergencies.
Correction | In the Feb. 5 communication CBE issued email addresses were included in this list. Further investigation has determined these email addresses were not part of the breach.
Staff information, including:
- First, middle and last names
- CBE employee numbers
- School name codes
- School addresses and phone numbers
- Department and/or teaching specialty
- CBE issued email addresses In limited cases, home phone numbers and home addresses if entered into PowerSchool.
How can I access identity monitoring being offered by PowerSchool? Revised Apr. 3, 2025
PowerSchool is offering two years of complimentary identity protection services, provided by Experian, to students and educators whose information was involved. A credit card is not required to enroll.
Note | Parent names were not included in the breach. Only students and staff are eligible to register for this identity monitoring services.
-
Visit the Experian IdentityWorks website to enroll: www.globalidworks.com/identity1
- Provide the
activation code: MPRT987RFK
- The deadline to enroll has been extended until
July 30, 2025 (The code will not work after this date)
- For questions about the product or help with enrolment, please email
globalidworks@experian.com
How can I access credit monitoring being offered by PowerSchool?Revised Feb. 10, 2025
PowerSchool if offering credit monitoring services to involved staff and students how have reached the age of majority in Alberta.
Note | Parent names were not included in the breach. Credit monitoring services are only available staff and those students who have reached the age of majority.
I uploaded my personal documents. Have these been compromised?
Personal documents (i.e., birth certificates, drivers’ licenses, and immigration documents) uploaded for registration and police information checks are uploaded to SchoolEngage, not PowerSchool.
Was my Social Insurance Number (SIN) or my child's SIN compromised?Revised Feb. 5, 2025
As a practice, the CBE does not collect student or parent SINs or student Alberta Health Care (AHC) numbers. Out of an abundance of caution we will continue to review the data to confirm if there are any records that may contain information related to SIN or AHC.
What information is stored in PowerSchool?
PowerSchool includes student information such as names, birth dates, addresses and phone numbers, student ID numbers and medical and guardian notes. PowerSchool also stores staff names, contact information and ID numbers.
Was financial information compromised?
Based on the information provided by PowerSchool, financial information was not compromised. CBE does not store credit card or other financial information in PowerSchool.
Can I log into the parent portal and pay fees
safely?Added Jan. 29, 2025
Yes. While the parent portal is available through PowerSchool, other portal functions like the fee payment system (Rycor) are separate and were not affected by the PowerSchool cybersecurity incident. All payment information is processed directly within Rycor, which operates independently of PowerSchool.
How did the unauthorized party gain access to PowerSchool?
More details of the breach can be found in the information shared by
PowerSchool.
Can I still access PowerSchool?
Yes. PowerSchool is available for school and family use.
Should we change our passwords?
It’s good practice to change passwords regularly and not use the same password across different applications.
