Updated March 25, 2025
As a result of a security breach from PowerSchool, a threat actor was able to gain access and download the information of multiple school divisions, districts and other school authorities throughout Canada, USA and other international countries. Unfortunately this did include Northern Lights Public Schools data and the threat actor was able to download the staff and student data tables in the PowerSchool Student Information System (SIS). The threat actor was identified and PowerSchool has updated us that the information should no longer be accessible.
NLPS has been working with PowerSchool to provide notification to the affected parties which include current and former staff and students. Notifications have started to be sent out on March 24, 2025 and include a generic statement of what had been accessed. The information that had been accessed does not include financial data or social insurance numbers since NLPS does not collect these for students and staff in PowerSchool SIS.
Frequently Asked Questions
What happened?
PowerSchool informed us that information from the PowerSchool SIS was accessed by a threat actor between December 22nd and 28th. PowerSchool immediately took steps to contain the breach and informed us that the data is no longer accessible by the threat actor.
We received notice from PowerSchool on January 7th that Northern Lights is one of the school divisions affected by the data breach. On January 8th we were provided further details about the breach. We had been working with PowerSchool to provide notifications and updates where possible regarding the situation via School Messenger and creating a FAQ that had been advertised on our website.
What information was accessed?
PowerSchool provided NLPS with information about what data was potentially included in the breach. As the information stored in PowerSchool by school divisions varies, the NLPS IT Department investigated to determine what data was in the fields identified by PowerSchool SIS data tables for staff and students.
The data that was accessed includes contact information for current and former students, parents and staff. Not all students, staff or parents had information entered in all of the fields. Student information accessed also included Student PowerSchool SIS ID number, first, middle and last name, birthdate, gender, confirmation of ethnicity, grade, home phone number, student enrollment ID, student web ID, Alberta Student Number (ASN) and home/mailing address.
For a smaller number of students, the information accessed included doctor names and phone numbers, guardian/emergency contact information, limited medical information, and confirmation that custody or court orders exist related to the student (but not the details of those orders). These students will be contacted to update on if information had been included in the data table.
Staff information included PowerSchool SIS ID number, first and last names, and work email. The fields for the home phone number, titles, and home/mailing address, had been populated for some staff and further contact will be provided for these individuals.
No financial information, Social Insurance Numbers, documents, or photos were accessed.
What medical information was accessed?
The medical information that was included was the information that parents provided on their student’s registration form. In most cases, this is not detailed and would have included any allergies, diagnosis or indicated that their child has asthma or is diabetic or important medical notes. For the majority of students, this field is blank so there was no information shared. If students did have medical information included in the breach, they will be informed.
The medical information that was accessed DID NOT include information related to specialized services related to Individualized Program Plans, or other medical information provided to the division that is not part of student registration forms.
Were only the current student and staff information accessed?
No, the information accessed would have been for current and previous students and staff up to when PowerSchool was implemented for the 2010-2011 School year.
What is the total number of individuals that have been affected?
After reviewing the data tables that were accessed, the total number of account lines are as follows:
- Staff: 2,701
- Students: 21,536
This would not be the total number of individuals impacted as there is additional doctor, guardian and emergency contact information that is included in the data tables. The total number impacted will be higher and cannot be verified at this time.
Were any photos accessed?
Pictures were not included in the data that was exfiltrated.
What about birth certificates or other documentation?
Birth certificates, citizenship documents, custody orders and other documentation were not included.
Were social insurance numbers included?
NLPS does not collect social insurance numbers for students.
What about financial information?
There was no financial information included in the information accessed.
What is the timeline for notifying families?
PowerSchool has indicated that parents and guardians of students under the age of 18 whose information was exfiltrated in the data breach will be contacted by them over the next few weeks. The notice received by each individual will include a description of the categories of personal information that were exfiltrated and the identity protection and credit monitoring services offered (as applicable).
Will I be receiving a notification from PowerSchool?
Yes. You may receive a notification directly from PowerSchool from one of the following email addresses or any other email address with the @csid domain name:
- Ps-sis-incident@mail.csid.com
- Ps-sis-incident@mail1.csid.com
- Ps-sis-incident@mail2.csid.com
Will there be identity protection and credit monitoring available?
Identity protection and credit monitoring are not mandatory and can be entered into at your discretion.
PowerSchool is offering complimentary identity protection and credit monitoring services for two years to all students and educators whose information was involved.
- Identity Protection: PowerSchool will be offering two years of complimentary identity protection services through Experian for all students and educators whose information was involved.
- Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services through TransUnion for all adult students and educators who have reached the age of majority.
Credit monitoring agencies do not offer credit monitoring services for individuals under the age of 18. If a parent / guardian enrolls an individual under the age of 18 in the offered identity protection services, the individual, upon turning 18, will have the opportunity to enroll in credit monitoring services for the duration of the two-year coverage period.
How do we enroll?
Identity protection
- Visit the Experian IdentityWorks website to enroll: https://www.globalidworks.com/identity1
- Provide your activation code: MPRT987RFK
For questions about the product or help with enrollment, please email globalidworks@experian.com. PowerSchool has extended the sign-up deadline from May 31, to July 31, 2025.
Credit Monitoring
- Please visit http://www.powerschool.com/security/canada-credit-monitoring/. There you will find a link to the validation website, https://CaCreditMonitoringValidationPage-PowerSchool.com/, where you will be prompted to validate your information by entering your first name, last name and year of birth
- If your identity is validated, a pop up will appear that provides an activation code and provides you a link to TransUnion’s myTrueIdentity site to enroll
Is there anything else I can do?
You are encouraged to remain vigilant against incidents of identity theft and fraud by reviewing account statements for suspicious activity. PowerSchool will never contact you by phone or email to request your personal or account information.
Is there a representative from PowerSchool I can contact?
Yes. If you have any questions or concerns about this notice, please call 833-918-7884, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays). Please be prepared to provide engagement number B138905.
Have additional security measures been taken to limit access?
Yes, NLPS and PowerSchool have taken additional measures to ensure the safety of information within the PowerSchool SIS system?
NLPS has locked the system so that no access can be initiated from outside Canada. In addition, no remote access can be initiated without contacting an NLPS staff member to grant access and arrange for a connection to be made with NLPS data.
PowerSchool had enacted their cyber security response team when discovering the incident had occurred. Additional enhancements to cyber security defences have been enacted since the data breach.
Does PowerSchool have a public document?
Yes, however some of the information in the document and on their webpage does include information that was not accessed from the NLPS data tables such as a Social Security Number (SSN) and financial information. Please refer to the “What Information was Shared?” FAQ by NLPS to see the information that had been accessed in our data tables.
The link to the PowerSchool FAQ is: https://www.powerschool.com/security/sis-incident/
PowerSchool also engaged CrowdStrike to conduct an investigation into the incident. They have shared the final incident report.
Who can I contact regarding any privacy concerns?
For any specific FOIP/Privacy related questions, you can contact the School Division's FOIP/Privacy Coordinator Peter Desmond at peter.desmond@nlsd.ab.ca or 780-826-3145 ext. 2006.
Individuals do have the right to file a complaint with the OIPC and they can be contacted by phone number at 1-888-878-4044 or through accessing additional resources at their website https://oipc.ab.ca/.