Individual notices starting to go out about PowerSchool data breach

If you’re a student or teacher – or were one in the past few decades – you may be receiving a notification soon that your personal information was compromised in the recent PowerSchool cyber breach that targeted school boards across Canada. The Newfoundland and Labrador Department of Education announced on Tuesday that individuals whose social insurance numbers were accessed during the cyberattack in late December will be informed.

The breach in Newfoundland and Labrador affected over 270,000 students dating back to 1995, with a significant portion of the compromised data belonging to individuals who are no longer part of the K-12 system. Additionally, more than 14,000 teachers’ information dating back to 2010 was also included in the breach. PowerSchool, a cloud-based software provider utilized by numerous Canadian K-12 school boards for managing student information and communications, has been working to address the situation since notifying clients in Canada and the U.S. about the incident earlier this month.

Several provinces, including Ontario, Saskatchewan, Alberta, Nova Scotia, Prince Edward Island, Manitoba, and the Northwest Territories, were impacted by the cyber breach that occurred between December 22 and 28 through a compromised back-end technical account supporting school board clients. In response, PowerSchool has been conducting investigations and gradually updating affected school districts on the extent of the student and staff data compromised, as well as the timeline of the breach. The company assured boards that the accessed data has been deleted and stated that there is no evidence of malware or ongoing unauthorized activity in their systems.

Some of the largest school divisions in Canada were affected by the breach, with the Toronto District School Board estimating that data from 1.49 million students registered between September 1985 and December 2024 was included. To ensure that past students with outdated contact information receive updates, the TDSB has set up a central website for incident-related announcements.

The type of information compromised varies by school division, ranging from personal details like names, addresses, and medical notes to grades, emergency contacts, and disciplinary records. In some cases, social insurance numbers of educators and staff were also exposed. PowerSchool has committed to providing free identity and credit monitoring for two years to individuals impacted by the breach, regardless of whether their social insurance number was compromised. The company has partnered with Experian for identity protection services for affected Canadian students and educators, and with TransUnion for credit monitoring for individuals who have reached the age of majority.

Instructions on how to enroll in the monitoring services will be provided in the coming weeks, with PowerSchool cautioning individuals to remain vigilant as they would never request personal or account information via phone or email. The company is in the process of notifying Canadian and U.S. regulators about the incident and has engaged with federal privacy commissioner Philippe Dufresne, who emphasized the sensitivity of children’s personal information and pledged to work with PowerSchool to address the breach.

As the fallout from the PowerSchool cyber breach continues to unfold, it is essential for students, teachers, and parents to stay informed and take necessary precautions to safeguard their personal information. The company’s proactive response and commitment to providing support and monitoring services are crucial steps in mitigating the impact of this widespread cyber incident.