News

PowerSchool Cyber Incident

January 30, 2025

We are writing to provide an update on the cyber incident involving PowerSchool's Student Information System – the application used by Superior-Greenstone District School Board (SGDSB) and many school boards across North America to store certain student and staff information.

On Tuesday, January 7, 2025, PowerSchool informed school boards, including SGDSB, that a data breach occurred within their system.  At that time, based on information initially provided by PowerSchool, there was no indication that our data had been compromised. 

However, since then, PowerSchool has shared additional details regarding the breach.  Following a thorough analysis conducted by our cybersecurity team, we can now confirm that SGDSB has been impacted by this incident. 

This incident has affected current and former students and staff. Please note that we will also be posting this notice on our website to notify SGDSB's former students and staff who may be affected.   

What Happened

On January 7th, PowerSchool informed SGDSB and other school boards, both nationally and internationally,  that it had experienced a cyber incident.

Since then, we have been working with PowerSchool and conducting our own independent investigation, with the assistance of internal and external experts, to determine the precise information that was affected.

PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online.  Nevertheless, SGDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future.

What Information Was Affected

We have worked with PowerSchool and concluded our analysis and can confirm that limited student and staff information was impacted as part of this incident.

For all students enrolled at SGDSB from September 1, 2015, to December 22, 2024, the information includes: student name, address, home phone number, date of birth, gender, grade, graduating year, date of student registration, parent/guardian name, parent/guardian email address, and Ontario Education Number. For most students, the data also included their emergency contact name and contact information, and school transfer information.

For a limited number of students enrolled from September 1, 2015, to December 22, 2024, the following additional information was also affected: medical alert information, doctor's name, doctor's number, locker number and locker combination.

With respect to medical alert information, if you provided information to your child's school about your child's allergies, medical conditions or injuries when completing the start of school year forms, this information was included in the data that may have been accessed or acquired.

This incident did not result in the compromise of any of the following information:

Financial information, health assessment information, student academic grades, and records included in our system provided to or by members of SGDSB's Student Support team (e.g. Psychological Services, Audiologist, Speech-Language Pathologists, and Social Workers), such as information related to Individual Placement Review Committee decisions (IPRCs), Individual Education Plans (IEPs) or accommodations.

For Teachers, and System Administrators (School Secretaries, System Principals, IT staff) who worked at SGDSB from September 1, 2015, to December 22, 2024 and who have access to the PowerSchool student information system, affected data includes employee name, SGDSB username, Board email address, and job title. For a small number of staff, home address and home phone number were also impacted.

Staff who do not have access to the PowerSchool student information system were not affected by this cyber incident (e.g. Support Staff such as Custodial staff, Maintenance staff, Student Support Professionals, and Lunchroom Supervisors).

To be clear, SGDSB does not store any Social Insurance Numbers, financial, or banking information in the PowerSchool Student Information System, so that information was not affected in any way.

The Board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC's website at www.ipc.on.ca.

Where Can I Find the Latest Information?

We will continue to provide additional updates as we receive them. Frequently Asked Questions (FAQ) can be found below, and we will continue to update the FAQs with any new or relevant information. You can also view FAQ's from PowerSchool on their website.

At this time, there is no action for you to take.  Nevertheless, staff and families are reminded to be vigilant following the PowerSchool data breach. 

If you wish to have more information about this incident, we invite you to contact us at powerschoolincident@sgdsb.on.ca

We appreciate your patience and understanding, and sincerely regret any concern this has caused you.

Sincerely,

Superior-Greenstone District School Board

Frequently Asked Questions

What happened? 

On December 28, 2024, PowerSchool, a third-party service provider used by the Superior-Greenstone District School Board (SGDSB), became aware of a cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information.

On January 7, 2025, PowerSchool notified SGDSB of the incident and that personal information of our students and educators may have been impacted. At that time, based on information initially provided by PowerSchool, there was no indication that our data had been compromised. 

However, since then, PowerSchool has shared additional details regarding the breach.  Following a thorough analysis conducted by our cybersecurity team, we can now confirm that SGDSB has been impacted by this incident. 

What is PowerSchool?  

PowerSchool is a software company utilized by many school boards internationally to store a range of student information and a limited amount of school-based staff information.

Who was affected?

Many public boards and private schools across North America who use PowerSchool SIS were affected by this incident.

What data was accessed?

We have worked with PowerSchool to determine that the following information was affected:

For all students enrolled at SGDSB from September 1, 2015, to December 22, 2024, the information includes: student name, address, home phone number, date of birth, gender, grade, graduating year, date of student registration, parent/guardian name, parent/guardian email address, and Ontario Education Number. For most students, the data also included their emergency contact name and contact information, and school transfer information.

For a limited number of students enrolled from September 1, 2015 to December 22, 2024, the following additional information was also affected: medical alert information, doctor's name, doctor's phone number, locker number and locker combination.

With respect to medical alert information, if you provided information to your child's school about your child's allergies, medical conditions or injuries when completing the start of school year forms, this information was included in the data that may have been accessed or acquired.

The following was NOT part of the data accessed:

  • Academic records.
  • Social insurance numbers, banking or financial information.
  • Records included in our system provided to or by members of SGDSB's Student Support team (e.g. Psychological Services, Audiologist, Speech-Language Pathologists, and Social Workers), such as information related to Individual Placement Review Committee decisions (IPRCs), Individual Education Plans (IEPs) or accommodations.

For Teachers, and System Administrators (School Secretaries, System Principals, IT staff) who worked at SGDSB from September 1, 2015, to December 22, 2024, and who have access to the PowerSchool SIS system: 

  • Employee name
  • Employee number
  • SGDSB username
  • SGDSB email address

For a small number of teachers, administrators, school office staff, superintendents and department staff who worked at SGDSB from 2015-2024 and who have access to the PowerSchool SIS system:

  • Home address
  • Home phone number

Please note that sensitive educator information, like financial information, was not compromised.

Other staff  

Staff who do not have access to the PowerSchool student information system were not affected by this cyber incident.  

What steps are you taking to prevent this from happening again?

Although this cyber incident did not take place in a SGDSB environment, as part of our own investigation process, we are working with industry experts and using this incident as an opportunity to review our vendor retention practices and improve how we protect personal information. We are committed to continuously improving our systems and processes to safeguard the privacy of our community. We have many measures in place to protect student, staff, and family data and will continue to implement industry best-practices and provide extensive training for our staff.

Where can I learn more about the incident?

PowerSchool has posted an FAQ on their website to share information, which includes steps they have taken to address this incident and protect student, family and educator information moving forward. 

Did the Board notify the Office of the Information and Privacy Commissioner?

Yes, the Board has notified and is working with the Ontario Information and Privacy Commissioner in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter.

Was any credit card or banking information involved in this incident?

No. Both PowerSchool and the Board's own internal investigation can confirm that there is no evidence of any credit card or banking information being compromised. 

Is there any indication that compromised information has been released?

There is no evidence of the compromised information having been released at this time.

Why were you keeping my student data if I was no longer enrolled in the board?

We keep information about former students in accordance with provincial requirements under the Education Act and to respond to former student information requests. We are taking this opportunity to assess our records retention practices to ensure that we are only keeping what is necessary to conduct the Board's business.

I attended the SGDSB many years ago. Was my information impacted?

Our PowerSchool SIS stores data for students who attended a SGDSB school from 2015-2024. If you were a SGDSB student prior to this, your information was not impacted as part of this incident. 

Is credit monitoring being provided?

PowerSchool has agreed to provide two years of credit monitoring and identity monitoring to all adult students and staff affected by this incident. Those who are still minors will be offered two years of identity monitoring. We expect to be issuing an update on this in the coming weeks.

Can I opt-out of PowerSchool?

Not at this time. SGDSB is using this incident to review the information practices of all of its vendors.

Is the Board changing vendors?

Not at this time.

Were all PowerSchool products impacted?

No. Only PowerSchool SIS was impacted by this incident. Other PowerSchool tools were not impacted. 

I have additional questions not addressed by these FAQs.

A dedicated email address has been created where individuals can send any additional questions they may have.  Please send any additional questions to powerschoolincident@sgdsb.on.ca