PowerSchool has provided us with additional information about the data breach that occurred between December 22 and 28 and the timeline for informing individuals whose information was accessed. Here are answers to the frequently asked questions we have been receiving from parents and staff based on the current information we have received from PowerSchool.
Frequently Asked Questions
What information was accessed?
PowerSchool provided NLPS with information about what data was potentially included in the breach. As the information stored in PowerSchool by school divisions varies, the NLPS IT Department investigated to determine what data was in the fields identified by PowerSchool SIS data tables for staff and students.
The data that was accessed includes contact information for current and former students, parents and staff. Not all students, staff or parents had information entered in all of the fields. Student information accessed also included Student PowerSchool SIS ID number, first, middle and last name, birthdate, gender, confirmation of ethnicity, grade, home phone number, student enrollment ID, student web ID, Alberta Student Number (ASN) and home/mailing address.
For a smaller number of students, the information accessed included doctor names and phone numbers, guardian/emergency contact information, limited medical information, and confirmation that custody or court orders exist related to the student (but not the details of those orders). These students will be contacted to update on if information had been included in the data table.
Staff information included PowerSchool SIS ID number, first and last names, and work email. The fields for the home phone number, titles, and home/mailing address, had been populated for some staff and further contact will be provided for these individuals.
No financial information, Social Insurance Numbers, documents, or photos were accessed.
What medical information was accessed?
The medical information that was included was the information that parents provided on their student’s registration form. In most cases, this is not detailed and would have included any allergies, diagnosis or indicated that their child has asthma or is diabetic or important medical notes. For the majority of students, this field is blank so there was no information shared. If students did have medical information included in the breach, they will be informed.
The medical information that was accessed DID NOT include information related to specialized services related to Individualized Program Plans, or other medical information provided to the division that is not part of student registration forms.
Were only the current student and staff information accessed?
No, the information accessed would have been for current and previous students and staff up to when PowerSchool was implemented for the 2010-2011 School year.
What is the total number of individuals that have been affected?
After reviewing the data tables that were accessed, the total number of account lines are as follows:
- Staff: 2,701
- Students: 21,536
This would not be the total number of individuals impacted as there is additional doctor, guardian and emergency contact information that is included in the data tables. The total number impacted will be higher and cannot be verified at this time.
Were any photos accessed?
Pictures were not included in the data that was exfiltrated.
What about birth certificates or other documentation?
Birth certificates, citizenship documents, custody orders and other documentation were not included.
Were social insurance numbers included?
NLPS does not collect social insurance numbers for students.
What about financial information?
There was no financial information included in the information accessed.
What is the timeline for notifying families?
PowerSchool has indicated that parents and guardians of students under the age of 18 whose information was exfiltrated in the data breach will be contacted by them over the next few weeks. The notice received by each individual will include a description of the categories of personal information that were exfiltrated and the identity protection and credit monitoring services offered (as applicable).
Will there be identity protection and credit monitoring available?
PowerSchool is offering complimentary identity protection and credit monitoring services for two years to all students and educators whose information was involved.
- Identity Protection: PowerSchool will be offering two years of complimentary identity protection services through Experian for all students and educators whose information was involved.
- Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services through TransUnion for all adult students and educators who have reached the age of majority.
Credit monitoring agencies do not offer credit monitoring services for individuals under the age of 18. If a parent / guardian enrolls an individual under the age of 18 in the offered identity protection services, the individual, upon turning 18, will have the opportunity to enroll in credit monitoring services for the duration of the two-year coverage period.
PowerSchool has engaged Experian and TransUnion to provide these services. Starting in the next few weeks, PowerSchool will coordinate with Experian to provide notice on behalf of our customers to students (or their parents/guardians if the student is under 18) and educators whose information was exfiltrated from their PowerSchool SIS.
Have additional security measures been taken to limit access?
Yes, NLPS and PowerSchool have taken additional measures to ensure the safety of information within the PowerSchool SIS system?
NLPS has locked the system so that no access can be initiated from outside Canada. In addition, no remote access can be initiated without contacting an NLPS staff member to grant access and arrange for a connection to be made with NLPS data.
PowerSchool had enacted their cyber security response team when discovering the incident had occurred. Additional enhancements to cyber security defences have been enacted since the data breach.
Does PowerSchool have a public document?
Yes, however some of the information in the document and on their webpage does include information that was not accessed from the NLPS data tables such as a Social Security Number (SSN) and financial information. Please refer to the “What Information was Shared?” FAQ by NLPS to see the information that had been accessed in our data tables.
The link to the PowerSchool FAQ is: https://www.powerschool.com/security/sis-incident/