View School Directory
Back to News Listing

PowerSchool Cybersecurity Incident

General Information press release

February 10, 2025 UPDATE

Powerschool has initiated the process of notifying involved individuals of the incident about the resources now available to them. As part of this process, they have posted a notice on their website. Credit monitoring and identity protection services are now activated and available.

January 22, 2025 UPDATE

As you may be aware / as we previously communicated, PowerSchool – a cloud-based software vendor used by the Horizon School Division – recently experienced a cybersecurity incident involving unauthorized access to certain information in the PowerSchool Student Information System.

We are reaching out to share more information and next steps that we recently received directly from PowerSchool:

  • Identity Protection and Credit Monitoring Services: PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer two years of complimentary identity protection services for all students and educators whose information from our PowerSchool SIS was involved. This offer will also include two years of complimentary credit monitoring services for all students and educators whose information was involved and who have reached the age of majority (18 years of age). The offered credit monitoring services, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and educators, will be provided by Experian. Credit monitoring is being provided by TransUnion because Experian does not offer credit monitoring in Canada.
    • Credit monitoring agencies do not offer credit monitoring services for individuals under the age of 18. If a parent/guardian enrols an individual under the age of 18 in the offered identity protection services, the individual, upon turning 18, will have the opportunity to enrol in credit monitoring services for the duration of the two-year coverage period.
  • Notification to Individuals Involved: Starting in the next few weeks, in collaboration with TransUnion and Experian, PowerSchool will provide notice to students, parents / guardians and educators (as applicable) whose information was involved, as well as a phone number to answer any questions you may have about the incident. The notice will include the identity protection and credit monitoring services offer (as applicable).

  • PowerSchool will also launch a website and distribute a media release to ensure they reach as many involved individuals as possible and provide them with resources to protect their information. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool.

  • As soon as PowerSchool learned of the incident, they engaged cybersecurity response protocols and mobilized third-party cybersecurity experts to conduct a forensic investigation and to monitor for signs of information misuse. PowerSchool is not aware of any identity theft attributable to this incident.

In the meantime, I encourage you to visit https://www.powerschool.com/security/sis-incident/ for up-to-date information on the cybersecurity incident.

Sincerely,

Horizon School Division

 

January 17, 2025 update

Frequently Asked Questions (FAQ)

Who is affected?

  • All current and former Horizon students from 2011 and onward.
  • All current and former Horizon staff with access to PowerSchool since 2011.

What student data was accessed?

Our investigation has determined that the data accessed included:

  • Student demographic information such as:
    • first name,
    • last name,
    • date of birth,
    • student phone numbers,
    • student email address, and
    • mailing addresses. 
  • Student educational information such as:
    • Alberta Student Numbers (ASN)
    • name of school attending
    • year graduating
  • Guardian Alerts (e.g. note referencing existence of external document such as custody order)
  • Basic student medical information, including details such as asthma, allergies, diabetes, or other medical conditions that were shared with the school.
  • Parent demographic information such as:
    • name,
    • mailing address,
    • phone number,
    • email addresses, and
    • for some parents the name of their employer
  • Emergency contact demographic information such as:
    • names, and
    • phone number,

What staff data was accessed?

The breach also accessed limited staff work-related data, including:

  • names,
  • mailing addresses,
  • phone number, and
  • email addresses.

Was financial information accessed?

No. Financial information was not accessed, as it is not stored in PowerSchool.

Were photos accessed?

No. Student and staff photos were not accessed in this incident.

I uploaded personal documents during the registration process. Have those been compromised?

No. Personal documents, such as birth certificates uploaded during the registration process were not affected by the PowerSchool cybersecurity breach.

None of the following information was impacted:

  • Passwords of students or parents

  • Financial information (finance system is different than information system)

  • Documentation such as birth certificates, study visas, etc.

  • Photos of students

  • Social Insurance Numbers (We do not collect this student or parent information)

Can I still use my PowerSchool Account?

Yes, you can continue to use your PowerSchool account as usual. The PowerSchool cybersecurity incident has not disrupted daily school operations or classroom instruction. PowerSchool has assured us that the incident has been contained and that additional security measures have been implemented to prevent future breaches.

What can the data taken be used for?

The accessed data could potentially be used for identity theft, where personal details are misused to impersonate someone or commit fraud. It could also be used for phishing or social engineering, such as sending fake emails or messages designed to trick individuals into revealing sensitive information like passwords or financial details.

While no financial information, passwords, or personal documents were accessed in this incident, it is always important to monitor any digital accounts that you have to watch for activity that is not yours.

We advise being cautious with emails or messages that seem unfamiliar. Avoid clicking on unknown links and refrain from sharing personal details in response to unsolicited requests.

How did the data breach happen?

According to PowerSchool, the breach occurred after an unauthorized party used a compromised credential to gain access, affecting information from multiple school divisions worldwide, including the Horizon School Division.

PowerSchool has assured us that the vulnerability has been identified and resolved. They have also implemented enhanced security measures to prevent similar incidents in the future. 

What measures are in place to protect against future breaches?

This was a PowerSchool breach. PowerSchool says it has strengthened its password policies and controls, including increasing the length and complexity of the passwords required of all employees. PowerSchool is working with CrowdStrike, a leading cybersecurity company, monitoring the internet for any potential misuse of data. We are also closely monitoring the situation.

Horizon School Division has Multi-Factor Authentication (MFA) enabled for all staff for most of our platforms and we are in the process of adding Powerschool to MFA. MFA reduces the risk of account takeovers and provides additional security for users and their accounts. 

What should I watch out for to protect my information?

We recommend you always use the following practices to keep your accounts and information secure: 

  • Regularly check your email, online accounts, and social media accounts for any signs of unusual activity.
  • Update all account passwords frequently, especially if any have been reused across different platforms.
  • Use strong, unique passwords for every account, and consider using a password manager for enhanced security.
  • Activate two-factor or Multi-Factor Authentication on any accounts where it’s available for extra protection.

Additionally, stay vigilant against phishing attempts. Be cautious of unfamiliar emails, calls, or messages that claim to be from legitimate organizations. Never click on suspicious links or share personal information without verifying the source. By always taking these precautions, you can help safeguard your accounts and reduce the risk of unauthorized access.

Will credit monitoring be offered?

PowerSchool has indicated that it plans to provide credit monitoring services to qualifying adults and identity protection services to qualifying minors. While we understand the extent of the breach within Horizon, the impact has been more significant in other regions. At this time, we are awaiting clarification on who will be eligible for these services.

FAQ from powerschool

January 9, 2025 (update)

Horizon School Division has been been informed of a  recent cybersecurity incident involving PowerSchool, a software vendor which provides our Student Information System (SIS). This event impacted school divisions's across Canada and the United States.

 

On Tuesday, January 7, 2025, PowerSchool informed our leadership team that they experienced a cybersecurity incident involving unauthorized access to certain PowerSchool SIS customer data. Unfortunately, they have confirmed that the information belongs to some of Horizon’s families and educators.

 

We want to assure you that no financial information was accessed or stored in PowerSchool. 

 

PowerSchool has assured us that the incident is contained, and they’ve strengthened their security measures to prevent future breaches. PowerSchool informed us that the taken data primarily includes teacher, parent and student contact information with data elements such as name and address information. Across their customer base, they have determined that for a portion of their clientelle, some student identifiable information, such as medical information, was impacted. They are working with urgency to complete their investigation and determine whether information belonging to our teachers, parents, and students was included.

 

Protecting our teachers and students is something we take seriously. With PowerSchool’s help, more information and resources (including credit monitoring or identity protection services if applicable) will be provided to you as it becomes available. We remain committed to keeping you informed.

 

Wilco Tymensen

Superintendent of Schools