Back to News Listing

PowerSchool Cybersecurity Incident

January 17, 2025 update

Frequently Asked Questions (FAQ)

Who is affected?

  • All current and former Horizon students from 2011 and onward.
  • All current and former Horizon staff with access to PowerSchool since 2011.

What student data was accessed?

Our investigation has determined that the data accessed included:

  • Student demographic information such as:
    • first name,
    • last name,
    • date of birth,
    • student phone numbers,
    • student email address, and
    • mailing addresses. 
  • Student educational information such as:
    • Alberta Student Numbers (ASN)
    • name of school attending
    • year graduating
  • Guardian Alerts (e.g. note referencing existence of external document such as custody order)
  • Basic student medical information, including details such as asthma, allergies, diabetes, or other medical conditions that were shared with the school.
  • Parent demographic information such as:
    • name,
    • mailing address,
    • phone number,
    • email addresses, and
    • for some parents the name of their employer
  • Emergency contact demographic information such as:
    • names, and
    • phone number,

What staff data was accessed?

The breach also accessed limited staff work-related data, including:

  • names,
  • mailing addresses,
  • phone number, and
  • email addresses.

Was financial information accessed?

No. Financial information was not accessed, as it is not stored in PowerSchool.

Were photos accessed?

No. Student and staff photos were not accessed in this incident.

I uploaded personal documents during the registration process. Have those been compromised?

No. Personal documents, such as birth certificates uploaded during the registration process were not affected by the PowerSchool cybersecurity breach.

Can I still use my PowerSchool Account?

Yes, you can continue to use your PowerSchool account as usual. The PowerSchool cybersecurity incident has not disrupted daily school operations or classroom instruction. PowerSchool has assured us that the incident has been contained and that additional security measures have been implemented to prevent future breaches.

What can the data taken be used for?

The accessed data could potentially be used for identity theft, where personal details are misused to impersonate someone or commit fraud. It could also be used for phishing or social engineering, such as sending fake emails or messages designed to trick individuals into revealing sensitive information like passwords or financial details.

While no financial information, passwords, or personal documents were accessed in this incident, it is always important to monitor any digital accounts that you have to watch for activity that is not yours.

We advise being cautious with emails or messages that seem unfamiliar. Avoid clicking on unknown links and refrain from sharing personal details in response to unsolicited requests.

How did the data breach happen?

According to PowerSchool, the breach occurred after an unauthorized party used a compromised credential to gain access, affecting information from multiple school divisions worldwide, including the Horizon School Division.

PowerSchool has assured us that the vulnerability has been identified and resolved. They have also implemented enhanced security measures to prevent similar incidents in the future. 

What measures are in place to protect against future breaches?

This was a PowerSchool breach. PowerSchool says it has strengthened its password policies and controls, including increasing the length and complexity of the passwords required of all employees. PowerSchool is working with CrowdStrike, a leading cybersecurity company, monitoring the internet for any potential misuse of data. We are also closely monitoring the situation.

Horizon School Division has Multi-Factor Authentication (MFA) enabled for all staff for most of our platforms and we are in the process of adding Powerschool to MFA. MFA reduces the risk of account takeovers and provides additional security for users and their accounts. 

What should I watch out for to protect my information?

We recommend you always use the following practices to keep your accounts and information secure: 

  • Regularly check your email, online accounts, and social media accounts for any signs of unusual activity.
  • Update all account passwords frequently, especially if any have been reused across different platforms.
  • Use strong, unique passwords for every account, and consider using a password manager for enhanced security.
  • Activate two-factor or Multi-Factor Authentication on any accounts where it’s available for extra protection.

Additionally, stay vigilant against phishing attempts. Be cautious of unfamiliar emails, calls, or messages that claim to be from legitimate organizations. Never click on suspicious links or share personal information without verifying the source. By always taking these precautions, you can help safeguard your accounts and reduce the risk of unauthorized access.

Will credit monitoring be offered?

PowerSchool has indicated that it plans to provide credit monitoring services to qualifying adults and identity protection services to qualifying minors. While we understand the extent of the breach within Horizon, the impact has been more significant in other regions. At this time, we are awaiting clarification on who will be eligible for these services.

 

January 9, 2025 (update)

Horizon School Division has been been informed of a  recent cybersecurity incident involving PowerSchool, a software vendor which provides our Student Information System (SIS). This event impacted school divisions's across Canada and the United States.

 

On Tuesday, January 7, 2025, PowerSchool informed our leadership team that they experienced a cybersecurity incident involving unauthorized access to certain PowerSchool SIS customer data. Unfortunately, they have confirmed that the information belongs to some of Horizon’s families and educators.

 

We want to assure you that no financial information was accessed or stored in PowerSchool. 

 

PowerSchool has assured us that the incident is contained, and they’ve strengthened their security measures to prevent future breaches. PowerSchool informed us that the taken data primarily includes teacher, parent and student contact information with data elements such as name and address information. Across their customer base, they have determined that for a portion of their clientelle, some student identifiable information, such as medical information, was impacted. They are working with urgency to complete their investigation and determine whether information belonging to our teachers, parents, and students was included.

 

Protecting our teachers and students is something we take seriously. With PowerSchool’s help, more information and resources (including credit monitoring or identity protection services if applicable) will be provided to you as it becomes available. We remain committed to keeping you informed.

 

Wilco Tymensen

Superintendent of Schools