PowerSchool Cyber Incident

This webpage is devoted to updates pertaining to the PowerSchool Cyber Incident (Data Breach). Questions specific to Alerts and Medical Information (if applicable) can be emailed to breach@bhncdsb.ca. All other information can be found on this webpage.

For instructions to sign up for monitoring services offered by PowerSchool, see the: Next Steps for Families and Staff – February 4, 2025 section below.

BHNCDSB UPDATE – Feb 14, 2024, employees who retired before 2012 not impacted

STAFF ONLY: As new information has been presented and upon further investigation, BHNCDSB discovered that the employees impacted by the PowerSchool breach were limited to:

  • Staff employed between 2012 and 2024 or
  • Staff whose SIN is involved in the PowerSchool breach (you would have received an email from BHNCDSB indicating that your SIN was involved. If you did not receive this direct notification, your SIN was NOT involved)

If your retirement date was outside these parameters OR you have not received a ‘Your SIN was involved…’ communication from us and tried to enroll for TransUnion Credit monitoring but were unsuccessful (and were presented with a “At this time, we are not able to validate your information to provide a credit monitoring activation code.”) you can be sure that your information was not involved in the PowerSchool breach.

Next Steps for Families and Staff – Email February 4, 2025

We are writing to update our prior communications sent/posted yesterday (Monday, February 3, 2025), regarding the cyber incident involving PowerSchool’s Student Information System – the application used by the Brant Haldimand Norfolk Catholic District School Board (BHNCDSB) and many school boards across North America to store certain student and staff information.

This incident has affected current and former students and staff. Please note that this notice will also be posted on our website to notify BHNCDSB’s former students and staff who may be affected. 

PowerSchool is offering two years of complimentary identity protection services, provided by Experian, to students and staff whose information was involved. For involved students and staff who have reached the age of majority, in addition to Experian’s identity protection services, PowerSchool is also offering two years of complimentary credit monitoring services provided by TransUnion.

To be clear, all students and staff, past and present, can sign up for Experian’s services. Only adults (students and staff, past and present) can sign up for TransUnion’s services. PowerSchool is not offering either service to parents, guardians or emergency contacts.

Since the incident, PowerSchool has monitored for signs of information misuse. They have reported that they are not aware, at this time, of any identity theft attributable to this incident. That said, we encourage all to sign up for these complimentary services.

Although BHNCDSB does not actively collect Social Insurance Numbers (SIN) to be stored in PowerSchool, for a select number of staff members (i.e., less than 135), a SIN may have been accessed. If your SIN is affected, we will notify you directly.

PowerSchool has provided instructions for signing up for these services on their website (select this link to visit their webpage), and we reproduced the instructions below, as well.

Note: You must enroll for applicable services by May 30, 2025.

Experian and TransUnion Monitoring Sign-Up Instructions

Experian Identity Protection Services – Available to All Involved Students and Staff (with PowerSchool accounts)

Enrollment Instructions for Experian IdentityWorks

  1. Ensure that you enroll by May 30, 2025 (Your code will not work after this date at 5:59 UTC)
  2. Visit the Experian IdentityWorks website to enroll: https://www.globalidworks.com/identity1
  3. Provide the activation code: MPRT987RFK

For questions about the product or help with enrollment, please email globalidworks@experian.com

Details Regarding Your Experian IdentityWorks Membership

A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:

  • Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web.
  • Fraud Remediation Tips: Self-help tips are available on your member center.

TransUnion Credit Monitoring Services – Sign-Up Instructions

Available to Involved Students and Staff Who Have Reached the Age of Majority in their Applicable Province or Territory

Enrollment Instructions for TransUnion myTrueIdentity:

  1. Please visit http://www.powerschool.com/security/canada-credit-monitoring/. There you will find a link to the validation website, https://CaCreditMonitoringValidationPage-PowerSchool.com/, where you will be prompted to validate your information by entering your first name, last name and year of birth.
  • If your identity is validated, a pop-up displays that provides you with an activation code along with a link to TransUnion’s myTrueIdentity site to enroll. Proceed with the enrollment process.

Details Regarding Your myTrueIdentity Membership

Upon completion of the online enrollment process, you will have access to the following TransUnion myTrueIdentity features:

  • Unlimited online access to your TransUnion Canada credit report, updated daily. A credit report is a snapshot of your financial history and one of the primary tools leveraged for determining credit-related identity theft or fraud.
  • Unlimited online access to your CreditVision® Risk credit score, updated daily. A credit score is a three-digit number calculated based on the information contained in your TransUnion Canada credit report at a particular point in time.
  • Credit monitoring, which provides you with email notifications of key changes on your TransUnion Canada credit report. In today’s virtual world, credit alerts are a powerful tool to help protect you against identity theft, enable quick action against potentially fraudulent activity and provide you with additional reassurance.
  • Access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.
  • Access to Identity Restoration agents who are available to assist you with questions about identity theft. In the unlikely event that you become a victim of fraud; a personal restoration specialist will help to resolve any identity theft.  This service includes up to $1,000,000 of expense reimbursement insurance.
  • Dark Web Monitoring, which monitors surface, social, deep, and dark websites for potentially exposed personal, identity and financial information and helps protect you against identity theft.

How Can I Access Help with This Process or the Cyber Incident?

As this is a PowerSchool Cyber Incident, PowerSchool, not BHNCDSB, is the contact for all questions related to the incident and monitoring services.

PowerSchool has provided a call centre to address questions regarding these services. If you have any questions or concerns about this notice, please call 833-918-7884, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays).

Please be prepared to provide engagement number B138905.

Should you have any questions for the Brant Haldimand Norfolk Catholic District School Board about this notice, please do not hesitate to contact us at breach@bhncdsb.ca.

FAQ

Background Information – What happened?

On December 28, 2024, PowerSchool, a third-party service provider used by Brant Haldimand Norfolk Catholic District School Board (BHNCDSB) became aware of a cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information.

On January 7, 2025, BHNCDSB IT Services Department staff were notified of a possible PowerSchool Cybersecurity Incident. The next day, the Board Received confirmation that BHNCDSB data may have been involved in the breach. Our Information Technology Services Department began internal investigation and our Communication Services Department began notifications.

On January 9, 2025, Information Technology Services continued the internal investigation in parallel with the one initiated by the PowerSchool independent third-party cyber-security firm. At that time, the Board was notified that the independent breach report would be provided to school districts by January 17, 2025.

As soon as PowerSchool learned of the incident, they engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. PowerSchool is not aware of any identity theft attributable to this incident.

Who was affected?

Many school boards and private schools across North America who use PowerSchool SIS were affected by this incident.

What Data was compromised?

We have determined that the following Board information, from September 1, 2009 to December 19, 2024, was affected:

Student information:

  • Name
  • Address
  • DOB
  • Phone Number
  • OEN (Ontario Education Number)
  • Guardian Name and Address
  • Emergency Name and Phone Number
  • Guardian Alert (if applicable)
  • Medical Conditions (if applicable)

This incident did not result in the compromise of any of the following information: financial information, student academic grades or Individual Education Plans (IEPs). 

Staff information:

  • Name 
  • Address 
  • Phone Number 
  • Employee Number

Please note:

  • ‘Staff’ means BHNCDSB staff members with PowerSchool accounts. This cyber incident impacts a portion, not all, of BHNCDSB staff.
  • Although BHNCDSB does not actively collect SINS to be stored in PowerSchool for select number of individuals (i.e., less than 135), SIN (Social Insurance Number) may have been accessed. If your SIN was affected, we will notify you directly. 
  • Please note that other sensitive staff information, like personal phone numbers, and financial information, was not compromised.

What steps are you taking to prevent this from happening again?

Although this cyber incident did not take place in a BHNCDSB environment, as part of our own investigative process, we are working with industry experts and using this incident as an opportunity to review our vendor information/data retention practices and improve how we protect personal information.

Where can I learn more about the incident?

PowerSchool has posted an FAQ on their website to share information, which includes steps they have taken to address this incident and protect student, family and educator information moving forward.

Visit: https://www.powerschool.com/security/sis-incident/    

Did the Board notify the Office of the Information and Privacy Commissioner?

Yes, the Board has notified and is working with the Information and Privacy Commissioner of Ontario in responding to this incident. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC’s website at www.ipc.on.ca.

Was any credit card or banking information involved in this incident?

No. Both PowerSchool and the Board’s own internal investigation can confirm that there is no evidence of any credit card or banking information being compromised.

Is there any indication that compromised information has been released?

PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online. Nevertheless, BHNCDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future.

Why were you keeping my student data if I was no longer enrolled in the board?

We keep information about former students in accordance with provincial requirements under the Education Act. BHNCDSB is are taking this opportunity to assess our records retention practices to ensure that we are only keeping what is necessary to conduct the Board’s business. New retention requirements/practices will be shared through an update to the BHNCDSB Generic Records Retention System (GRRS).

Can my family opt-out of PowerSchool?

Not at this time. BHNCDSB is using this incident to review the information practices of all of its vendors.

Is the Board changing vendors?

Not at this time.

Were all PowerSchool products impacted?

No. Only PowerSchool SIS was impacted by this incident. Other PowerSchool tools, like SchoolMessenger, SafeArrival, and SmartFind Express were not impacted.

I have additional questions not addressed by these FAQs.

Questions specific to Guardian Alerts and Medical Conditions (if applicable) can be emailed to breach@bhncdsb.ca. All other information can be found on this webpage or by visiting the PowerSchool incident page. https://www.powerschool.com/security/sis-incident/

Is this a BHNCDSB breach? And what has happened to the impacted information? 

A. This is not a BHNCDSB breach. PowerSchool – a cloud-based software vendor used by BHNCDSB and numerous school boards across North America, experienced a cyber security breach involving unauthorized access to certain information in a backup of our PowerSchool Student Information System.

PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online. Nevertheless, BHNCDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future. 

How would I know if my children have been affected and to what extent? 

A. The family communication emailed on February 3, 2025, detailed the student PowerSchool fields involved which include: Name

  • Address
  • DOB
  • Phone Number
  • OEN (Ontario Education Number)
  • Guardian Name and Address
  • Emergency Name and Phone Number
  • Guardian Alert (if applicable)
  • Medical Conditions (if applicable)

This PowerSchool breach involves students registered with BHNCDSB from 2005 to December 19, 2024.  

Why is the Board still delivering digital report cards for some schools? Should you not be sending them home with students or via Canada Post? 

PowerSchool has numerous applications including SafeArrival, SchoolMessenger, etc. The application involved in the breach is not connected to other services they provided including secure document delivery (report card and other documents).  

My child goes to XX school. Was his/her information compromised? 

A. Past and current student’s data, as far back as 2009, was involved in the PowerSchool cyber incident. Please refer to your family communication, this webpage, or the PowerSchool FAQ for details.  

I need more information and request clarification. Please call me. 

A. All the information the Board knows about the PowerSchool cyber incident has been communicated via email to current families and staff, is found on this webpage, or is on the PowerSchool FAQ. At this time, we have no other information to provide. If new information is available, we will immediately share it with families and staff through the same processes. 

I won’t ‘click’ on any links in the communications that I received. I’m afraid that more information will be compromised.  

A. We understand the concerns of families and staff. As a reminder, this data resided with PowerSchool, not BHNCDSB. Offering monitoring services is a component of PowerSchool’s cyber incident breach process.  

PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer two years of complimentary identity protection services for all students and staff whose information from PowerSchool was involved.  The Board, on PowerSchool’s behalf, has provided families and staff with information, including hyperlinks, received directly from PowerSchool as part of their breach response. We cannot force individuals to sign up for monitoring services, we can only encourage you to do so. Ultimately, the decision is yours. Please know that identity and credit monitoring communications families received to the email on file at the school, and that staff received to their ‘bhncdsb’ board email accounts, is not SPAM or malicious.  

We want the Board to increase security around student data. Please confirm this is happening or take my child’s information out of PowerSchool.  

A. Student and staff data is always a priority of the Board and for our Information Technology Services staff.  

PowerSchool is the system that we use to manage student and family information. Its ‘suite of products’ has many components that provide the Board with different functions.  

SchoolMessenger was used to send families email information about the PowerSchool breach, SafeArrival is used by families (at some schools) for attendance, etc.  

Not all applications of PowerSchool were involved in the cyber incident, and we continue to use them, without incident. 

We understand that the PowerSchool cyber incident is concerning for families and staff and will continue to do our best to relay information, as we receive it, connected to their breach.   

We would like to have a meeting with other families and Board staff to discuss the PowerSchool cyber incident and work together to find a solution. Can the Board set up a meeting for all families? 

A. As shared with families, staff, and the media, this is a PowerSchool breach and does not belong to, or is being facilitated/managed by, BHNCDSB. All the information that PowerSchool is sharing with the Board has been communicated via email to current families and staff, is found on this webpage, or is on the PowerSchool FAQ

STAFF MEMBER: Can someone please tell me if I have a PowerSchool account and if this impacts me? 

A. If you are unsure if you have a PowerSchool account, please check with your school administrator or supervisor. This PowerSchool breach involves staff with PowerSchool accounts from 2005 to December 19, 2024. 

Archived Communications Sent

February 3, 2025 – Message to staff and families

Dear families and staff,  

As previously communicated, PowerSchool – a cloud-based software vendor used by BHNCDSB, recently experienced a cybersecurity incident involving unauthorized access to certain information in the PowerSchool Student Information System (SIS).  

PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online. Nevertheless, BHNCDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future. 

We are reaching out to share more information and next steps that we recently received directly from PowerSchool.   

What Data was compromised? 

We have determined that the following Board information, from September 1, 2009, to December 19, 2024, was affected: 

  • Student Information 
  • Name 
  • Address 
  • DOB 
  • Phone Number 
  • OEN (Ontario Education Number) 
  • Guardian Name and Address 
  • Emergency Name and Phone Number 
  • Guardian Alert (if applicable) 
  • Medical Conditions (if applicable) 

Please note: 

  • This incident did not result in the compromise of any of the following information: financial information, student academic grades or Individual Education Plans (IEPs). 
     

Staff Information 

  • Name 
  • Address 
  • Phone Number 
  • Employee Number 

Please note: 

  • ‘Staff’ means BHNCDSB staff members with PowerSchool accounts. This cyber incident impacts a portion, not all, of BHNCDSB staff.  
  • Although BHNCDSB does not actively collect SINS to be stored in PowerSchool 

for select number of individuals (i.e., less than 135), SIN (Social Insurance Number) may have been accessed. If your SIN was affected, we will notify you directly. 

  • Please note that other sensitive staff information, like personal phone numbers, and financial information, was not compromised

Identity Protection and Credit Monitoring Services 

PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer two years of complimentary identity protection services for all students and staff whose information from our PowerSchool SIS was involved. This offer will also include two years of complimentary credit monitoring services for all students and educators whose information was involved and who have reached the age of majority.  

The offered credit monitoring services, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and staff, will be provided by Experian. Credit monitoring is being provided by TransUnion because Experian does not offer credit monitoring in Canada.  

Details on how to enrol will be included as part of an upcoming notification. As the offer is specific to this incident, the details contained in the notification will be required to enrol, and cannot be obtained directly from BHNCDSB, TransUnion or Experian. 

Notification 

Starting in the next few weeks, in collaboration with TransUnion and Experian, BHNCDSB will provide direct and indirect notice to families and staff (as applicable) whose information was involved, as well as a phone number to answer any questions you may have about the incident. BHNCDSB will be handling notification to individuals through direct and indirect methods including website posting, social media, email, and where required, direct mail.  

The notice will include the identity protection and credit monitoring services offer (as applicable).  

In the meantime, we encourage you to visit https://www.powerschool.com/security/sis-incident/ for up-to-date information on the cybersecurity incident. You can also visit the Board’s website CatholicEducation.ca and select the PowerSchool Breach button, found on the main page, to access information about this incident. 

We care deeply about the welfare of our BHNCDSB families and staff and will continue to do everything we can to support you with continued communications pertaining to the PowerSchool cyber security incident.

January 9, 2025 – Message to staff and families

We are reaching out to provide you with notification that the Brant Haldimand Norfolk Catholic District School Board (BHNCDSB) is one of the school districts impacted by a recent PowerSchool data breach.

PowerSchool is an application used by North American school districts to manage student and staff data. This has impacted random school districts in the United States and Canada. PowerSchool has engaged an independent third-party cyber-security firm to conduct an investigation.

BHNCDSB attended a PowerSchool data breach session late yesterday, where we were informed of potential student and staff information that may have been involved in the breach. PowerSchool is still in the investigation stage of the breach and will be working with us to identify exactly what may have been shared. They have put safeguards in place to mitigate the breach and have assured us that they have taken all the appropriate steps to prevent further unauthorized access or misuse of the affected data. They stated that the incident is contained, and it does not anticipate the data will be shared or made public.

Information Technology Services is working with PowerSchool to identify what data has been breached. They expect a comprehensive report from the third-party cyber security firm by January 17, 2025, after which BHNCDSB will have a clear picture of the extend of our involvement in the breach. At this time, that is all the information pertaining to details of the breach that they have.

Communication Services, who oversee Privacy and Records of the district, has reported the notification of our district’s involvement in the PowerSchool breach to the Information and Privacy Commissioner of Ontario.

When more information is available about the PowerSchool breach, an update will be provided.