Jan. 14, 2025
Frequently Asked Questions About the Data Breach
What data was accessed?
PowerSchool advised that the data accessed included personal information such as parent and student contact information. This includes names, birthdates, addresses and phone numbers. Some teacher information is also stored in PowerSchool. We continue to work with PowerSchool to determine the extent of the breach. We will communicate further as more information becomes available.
I uploaded my personal documents. Have these been compromised?
Personal documents (i.e., birth certificates, drivers’ licenses, and immigration documents) uploaded for registration and police information checks are uploaded to SchoolEngage, not PowerSchool.
Was my Social Insurance Number (SIN) or my child's SIN compromised?
The CBE does not collect student or parent SINs.
What information is stored in PowerSchool?
PowerSchool includes student information such as names, birthdates, addresses and phone numbers, student ID numbers and medical and guardian notes. PowerSchool also stores teacher names, contact information and ID numbers.
Was financial information compromised?
Based on the information provided by PowerSchool, financial information was not compromised. CBE does not store credit card or other financial information in PowerSchool.
How did the unauthorized party gain access to PowerSchool?
PowerSchool advised that access was gained using a compromised PowerSchool employee’s credentials. Once compromised, access was gained to data from multiple school districts worldwide.
Will credit monitoring be offered?
PowerSchool has indicated that it will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. We continue to work with PowerSchool to understand the extent of the breach and those impacted.
Can I still access PowerSchool?
Yes. PowerSchool is available for school and family use.
Should we change our passwords?
It’s good practice to change passwords regularly and not use the same password across different applications.
Is PowerSchool safe to use?
PowerSchool has taken steps to secure its systems and has assured us that the breach has been contained. CBE has taken additional measures to prevent third-party access.
FAQ from PowerSchool
Jan. 9, 2024
CBE was informed on Jan. 7 of a cybersecurity incident involving PowerSchool, the system used for student information. We are doing everything possible, including working with PowerSchool to determine the scope of the incident and any potential impact on families and staff.
Since the incident was discovered, PowerSchool has notified law enforcement, locked down their system, and changed all passwords.
After receiving this information, the CBE limited access to PowerSchool, and is engaging in further conversations to determine next steps.
While we are still trying to determine what may have been accessed, we can confirm that PowerSchool does not store financial information.
We are doing everything possible to learn more about this incident. Updates will be provided as more information becomes available.
Questions may be directed to
FOIP@cbe.ab.ca or the Office of the Information and Privacy Commissioner of Alberta at
oipc@ab.ca.
Message from PowerSchool
Dear Valued Customer,
As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.
Please review the following information and be sure to share this with relevant security individuals at your organization.
As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.
We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.
Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.
Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.
We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.
PowerSchool is committed to working diligently with customers to communicate with your educators, families, and other stakeholders. We are equipped to conduct a thorough notification process to all impacted individuals. Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process.
We have taken all appropriate steps to further prevent the exposure of information affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.
We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together.
Thank you for your continued support and partnership.
Sincerely,
Hardeep Gulati
Chief Executive Officer
Paul Brook
Chief Customer Officer
cc: Mishka McCowan
Chief Information Security Officer
FAQ from PowerSchool