PowerSchool Cybersecurity Incident
PowerSchool Data Breach Update
May 8, 2025
Elk Island Public Schools (EIPS) has been informed by PowerSchool that a threat actor is attempting to extort some school boards using the data breached in December 2024. To date, EIPS has not been contacted by this individual but it’s important to ensure school families are aware of what is taking place.
At this time, PowerSchool has indicated no new data has been accessed. PowerSchool has told school boards its system is secure and they continue to actively monitor.
We were informed PowerSchool paid a ransom to secure deletion of the impacted data shortly following the December 2024 incident. As with any such incident, there was a risk the threat actors would not honour their commitment to delete the stolen data, despite assurances provided to PowerSchool. EIPS did not pay a ransom, nor did it contribute financially to any ransom payment.
The protection of student and staff data is important to us, and we’re taking this security breach seriously. We remain committed to keeping staff and families informed, and updates will continue to be posted here as they become available. Past updates continue to be available on this page.
Identity Protection and Credit Monitoring Reminder
As previously shared, PowerSchool is offering two years of complimentary identity protection services, provided by Experian, to students and educators whose information was involved. A credit card is not required to enrol.
PowerSchool is offering credit monitoring services to involved staff and students who have reached the age of majority in Alberta.
In March, direct email communication started going out from Experian—sent on behalf of PowerSchool—to individuals connected to EIPS affected by the PowerSchool cybersecurity incident earlier this year. Even if you didn’t receive the direct email, you can still take advantage of the services being offered.
How to Apply for Identity Monitoring
- Visit the Experian IdentityWorks website to enrol: globalidworks.com/identity1
- Provide the activation code: MPRT987RFK
- The deadline to enrol is July 30, 2025 (The code will not work after this date)
- For questions about the product or help with enrolment, email globalidworks@experian.com
How to Apply for Credit Protection
- Visit http://www.powerschool.com/security/canada-credit-monitoring/ and click on the link to the validation website
- Enter your first name, last name and year of birth
- If your identity is validated, a pop-up will appear that provides an activation code and a link to TransUnion’s myTrueIdentity site to enrol
More information is available on the PowerSchool: Notice of Data Breach For Individuals in Canada page.
Frequently Asked Questions
Feb. 4, 2025
What solutions are being offered to impacted individuals?
PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer two years of complimentary identity protection services for all students and educators whose information was involved. This offer will also include two years of complimentary credit monitoring services for all students and educators whose information was involved and who have reached the age of majority.
The offered credit monitoring services, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and educators, will be provided by Experian. Credit monitoring is being provided by TransUnion because Experian does not offer credit monitoring in Canada.
I didn’t receive a notice but feel I should have?
The week of Feb. 11, 2025, PowerSchool will begin contacting current and former EIPS members for whom email addresses were available. Please check your junk mail in the event the letter may be misdirected to this folder.
If you do not receive an email, please follow this link to view a copy of the notification letter and to register for your complimentary identity protection services (for all students and educators) and credit monitoring services (for all students and educators who are the age of majority).
What happened?
On Jan. 8, 2025, Elk Islands Public Schools was notified by PowerSchool—a third-party software vendor whose platform we, and many other schools in North America and around the world, use to store student and staff information—of a data breach.
Although the breach did not originate on EIPS' systems, as soon as we learned of this incident, we initiated our security protocols, including engaging cybersecurity specialists. Our daily operations have not been interrupted because of this incident and schools continue to operate as usual.
We've been informed by PowerSchool that the incident is contained and there is no evidence of continued unauthorized activity in the PowerSchool platform. We are not aware of any data misuse at this point. PowerSchool has advised it has received confirmation the data accessed by the unauthorized user has been deleted and that no copies of this data were posted online.
Are accounts through PowerSchool secure?
Usernames and passwords were not impacted in this breach.
Was financial information stolen?
We want to assure you that no financial information (including credit cards) was accessed or stored in PowerSchool. When EIPS parents or guardians make a payment, they are redirected to a separate payment platform via a secure link. PowerSchool cannot access financial information stored on this payment platform, nor does this payment platform share data back with PowerSchool. The recent data breach was limited to PowerSchool’s platform only.
Who is affected?
All current and former EIPS students who attended EIPS from 2009 onward and current and former staff who had a PowerSchool account from 2009 onward.
What data was impacted?
On Dec. 22, 2024, an unauthorized party accessed PowerSchool’s platform where we store student and staff information. EIPS has completed a thorough review of impacted data and can confirm the following data was accessed as a result of this incident:
- Students: name, date of birth, grade level, mailing address, Alberta Student Number, parent/guardian names, home phone number, graduation year and some emergency contact and medical information (for example, doctors' names and phone numbers)
- Staff: name, work email address, employee ID, PowerSchool username (firstname.lastname)
Note: Data taken for former students and staff would have been accurate as of the last time they were enrolled or employed with the Division, respectively.
Documents (for example, birth certificates) uploaded within PowerSchool and social insurance numbers were not impacted as a result of this incident.
Were photos accessed?
No staff or student photos were accessed in this incident.
What happens next?
Starting the week of Feb. 11, 2025, Experian (on behalf of PowerSchool) will begin distributing direct email notifications to EIPS students, parents/guardians and educators (as applicable) for whom email contact information was available.
For former students and staff for whom contact information is not available or for whom we do not have up-to-date contact information, they will be contacted through this website notice. Additionally, PowerSchool has published the notification letter on its website and published a press release in further efforts to reach those individuals who could not be contacted through email.
Will you be providing any further updates?
We do not anticipate any further updates. However, if there are any important updates, we will release it through our website.
Additional Questions?
If you have any questions or concerns regarding the notice from Experian on behalf of PowerSchool or this incident in general, please call 833-918-7884, Monday through Friday between the hours of 8 a.m. to 8 p.m. CT, excluding major U.S. holidays.
If you would prefer to contact EIPS, questions can be submitted via the Division website online contact form or directly with your school administration.
Previous Update: March 25, 2025
March 25, 2025
The Division has been informed the direct email communication is starting to go out from Experian—sent on behalf of PowerSchool—to individuals connected to Elk Island Public Schools (EIPS) affected by the PowerSchool cybersecurity incident earlier this year. Division students, parents/guardians and staff, as applicable, whose information was involved in the incident can expect to receive an email from one of the following email addresses with information about next steps.
- Ps-sis-incident [at] mail [dot] csid [dot] com
- Ps-sis-incident [at] mail1 [dot] csid [dot] com
- Ps-sis-incident [at] mail2 [dot] csid [dot] com
Direct emails from one of these three email addresses are legitimate emails from Experian and not spam—see example.
NOTE: There are key deadlines included within the email notice for those individuals interested in enrolling for identity protection services, credit monitoring or both, as applicable. EIPS encourages families to check your spam or junk folders in case the email may have been filtered there.
If you don’t receive a direct email and were expecting to, or if you have any questions or require additional information, refer to the Cybersecurity Incident page on the PowerSchool website.
Previous Update: Feb. 4, 2025
Feb. 4, 2025
In continued efforts to provide you with real-time and transparent information regarding the data breach involving PowerSchool (a software vendor used by Elk Island Public Schools), we are sharing an update on notices being sent out in relation to this incident and responses to frequently asked questions.
Starting the week of Feb. 11, 2025, we expect Experian will begin distributing direct email notifications (on behalf of PowerSchool) to EIPS students, parents/guardians and educators (as applicable) whose information was involved in the incident and for whom email contact information was available. The notice includes two years of complimentary identity protection services provided by Experian. For students and educators who are the age of majority, this offer will also include two years of complimentary credit monitoring services provided by TransUnion.
Additionally, PowerSchool has worked with Experian to set up a dedicated, toll-free call centre to answer any questions associated with both Experian and TransUnion’s offerings and the incident. All the information regarding the activation of and access to these services will be included in the emails sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate these offerings.
We care deeply about the welfare of our EIPS families and will continue to do everything we can to support you. Thank you again for your support and understanding during this time.
Previous Update: Jan. 10, 2025
What happened?
On Jan 8, 2025, Elk Islands Public Schools was notified by PowerSchool—a third-party software vendor whose platform we, and many other schools in North America and around the world, use to store student and staff information—of a data breach.
Although the breach did not originate on EIPS' systems, as soon as we learned of this incident, we initiated our security protocols, including engaging cybersecurity specialists. Our daily operations have not been interrupted because of this incident and schools continue to operate as usual.
We've been informed by PowerSchool that the incident is contained and there is no evidence of continued unauthorized activity in the PowerSchool platform. We are not aware of any data misuse at this point. PowerSchool has advised it has received confirmation the data accessed by the unauthorized user has been deleted and that no copies of this data were posted online.
Are accounts through PowerSchool secure?
Usernames and passwords were not impacted in this breach.
Was financial information stolen?
We want to assure you that no financial information (including credit cards) was accessed or stored in PowerSchool. When EIPS parents or guardians make a payment, they are redirected to a separate payment platform via a secure link. PowerSchool cannot access financial information stored on this payment platform, nor does this payment platform share data back with PowerSchool. The recent data breach was limited to PowerSchool’s platform only.
Who is affected?
All current and former EIPS students who attended EIPS from 2009 onwards and current and former staff who had a PowerSchool account from 2009 onwards.
What data was impacted?
On Dec. 22, 2024, an unauthorized party accessed PowerSchool’s platform where we store student and staff information. EIPS has completed a thorough review of impacted data and can confirm the following data was accessed as a result of this incident:
- Students: name, date of birth, grade level, mailing address, Alberta Student Number, parent/guardian names, home phone number, graduation year and some emergency contact and medical information (for example, doctors' names and phone numbers)
- Staff: name, work email address, employee ID, PowerSchool username (firstname.lastname)
Note: Data taken for former students and staff would have been accurate as of the last time they were enrolled or employed with the Division, respectively.
Documents (for example, birth certificates) uploaded within PowerSchool were not impacted as a result of this incident.
Were photos accessed?
No staff or student photos were accessed in this incident.
What happens next?
We will be contacting guardians of currently enrolled students and current staff directly with a letter to share information about the incident and any recommendations on steps you can take to protect your and your child’s information. Students not currently enrolled and staff no longer employed who are impacted by this data breach are contacted through this website notice. If there are any important updates, we will release it through our website.
In the meantime, questions can be submitted via the Division website online contact form or directly with your school administration.