Staff and families can find the most up to date information about the PowerSchool data breach below.  This page includes links to communication that has been shared and new Frequently Asked Questions (FAQs) for staff and families.  

To view communication that has been shared with families about this incident, please click here.

To view our most recent media release(s) about this incident, please click here.

Please contact us at cybersupport@kpdsb.ca should you have questions that aren't answered by the information available on this page.  

Frequently Asked Questions (FAQ) for PowerSchool Data Breach

Last updated: January 14, 2025

Q: Who is affected?

A: All current and former KPDSB students from 2015 and onward.  All current and former KPDSB staff with access to PowerSchool since 2015.

Q: What student data was accessed?

A: Our investigation has determined that a range of data was accessed. Our investigation has determined that the data accessed included:

• Student demographic information such as first name, last name, date of birth, student phone numbers, and mailing addresses. 

• Ontario Education Numbers (OEN)

• Guardian Alerts/Notes (general information about who may pick a student up on a certain day, student’s preferred name, etc.)

• Basic student medical information for some KPDSB students, including details such as asthma, allergies, diabetes, or other medical conditions that were shared with your child’s school. 

Q: What staff data was accessed?

A: The breach accessed limited staff work-related data, including names, email addresses (KPDSB emails), personal phone numbers and internal identification numbers. There are some staff mailing addresses that have been accessed through the breach.  Those staff members will be contacted directly.

Q: What data was NOT accessed?

A: Our investigation has determined that the following were NOT compromised by the breach:

• KEV Software (School Cash Online) 

• No Credit card information was accessed or exposed

• Employee Payroll Information was not affected and remains secure

• No Student Photos were compromised in the Breach

Q: Was financial information accessed?

A: No. Financial information was not accessed, as it is not stored in PowerSchool. This recent cybersecurity breach was limited to PowerSchool systems only.

Q: Were photos accessed?

A: No. Student and staff photos were not accessed in this incident.

Q: Can staff still use their PowerSchool Account?

A: Yes, you can continue to use your PowerSchool account as usual. The PowerSchool cybersecurity incident has not disrupted daily school operations or classroom instruction. PowerSchool has assured us that the incident has been contained and that additional security measures have been implemented to prevent future breaches.

Q: What can the data taken be used for?

A: The accessed data could potentially be used for identity theft, where personal details are misused to impersonate someone or commit fraud. It could also be used for phishing or social engineering, such as sending fake emails or messages designed to trick individuals into revealing sensitive information like passwords or financial details.

While no financial information, passwords, or personal documents were accessed in this incident, it is always important to monitor any digital accounts that you have to watch for activity that is not yours.

We advise being cautious with emails or messages that seem unfamiliar. Avoid clicking on unknown links and refrain from sharing personal details in response to unsolicited requests.  We also recommend changing passwords regularly on your personal accounts.

Q: How did the data breach happen?

A: According to PowerSchool, the breach occurred after an unauthorized party used a compromised credential to gain access, affecting information from multiple school divisions worldwide, including KPDSB.

PowerSchool has assured us that the vulnerability has been identified and resolved. They have also implemented enhanced security measures to prevent similar incidents in the future. 

Q: What measures are in place to protect against future breaches?

A: This was a PowerSchool breach. PowerSchool says it has strengthened its password policies and controls, including increasing the length and complexity of the passwords required of all employees. PowerSchool is working with CrowdStrike, a leading cybersecurity company, monitoring the internet for any potential misuse of data. We are also closely monitoring the situation.

KPDSB has Multi-Factor Authentication (MFA) enabled for all staff. MFA reduces the risk of account takeovers and provides additional security for users and their accounts. 

Q: What should I watch out for to protect my information?

A: We recommend you always use the following practices to keep your accounts and information secure: 

• Regularly check your email, online accounts, and social media accounts for any signs of unusual activity.

• Update all account passwords frequently, especially if any have been reused across different platforms.

• Use strong, unique passwords for every account, and consider using a password manager for enhanced security.

• Activate two-factor or Multi-Factor Authentication on any accounts where it’s available for extra protection.

Additionally, stay vigilant against phishing attempts. Be cautious of unfamiliar emails, calls, or messages that claim to be from legitimate organizations. Never click on suspicious links or share personal information without verifying the source. By always taking these precautions, you can help safeguard your accounts and reduce the risk of unauthorized access.

---

Contact us at cybersupport@kpdsb.ca if you have additional questions.