����ֱ��

PowerSchool Breach

On January 7, 2025, the ����ֱ�� was notified by our student information system (SIS) provider, PowerSchool, that a cybersecurity event had occurred in late December and that some of our PowerSchool data was accessed.

Communications

• Incident Update – May 9, 2025
• Incident Update – March 14, 2025
• Incident Update – February 6, 2025
• Incident Update – January 30, 2025
• Incident Update – January 13, 2025
• Notice of Incident – January 8, 2025

Documents

• Example of PowerSchool Email (sent to students, parents/guardians, educators)
• Steps You Can Take To Help Protect Personal Information

FREQUENTLY ASKED QUESTIONS (FAQ)

Updated May 9, 2025

The PowerSchool email and the services offered

1. I received an email that claims to be from PowerSchool. Is it legitimate?

We understand PowerSchool has sent emails to students, parents/guardians, and educators whose information was involved in the incident. We understand from PowerSchool the email was or will be sent from one of the following similar email addresses: ps-sis-incident@mail.csid.com; ps-sis-incident@mail1.csid.com; or ps-sis-incident@mail2.csid.com. If you receive or have received an email from any one of these email addresses with the subject line “PowerSchool Cybersecurity Incident”, we have been assured by PowerSchool that it is a legitimate email.

Whether or not you received the email from PowerSchool, you may also visit to learn how to activate the identity protection and/or credit monitoring services. The PowerSchool website also includes information in .

2. I have a question about how to sign up for the identity protection and/or credit monitoring services offered by PowerSchool.

PowerSchool has advised that you can call 833-918-7884 if you have any questions. For those able to utilize credit monitoring services (anyone age 18 and over), you will be prompted to validate before activating by entering your name and date of birth. Anyone, including those under 18, can utilize the identity protection services. We encourage you to sign up for the services offered by PowerSchool.

The incident

3. What happened?

PowerSchool informed ����ֱ�� that it had experienced a cybersecurity incident involving unauthorized access to and exfiltration (acquisition) of certain customer information between around December 19 and December 28, 2024. ����ֱ�� is a customer of PowerSchool, like many other educational institutions across North America. PowerSchool provides a Student Information System (SIS) used by ����ֱ�� and thus we were informed by PowerSchool that information stored by ����ֱ�� in our SIS was involved in the incident.

We understand PowerSchool has sent emails to students, parents/guardians, and educators whose information was involved in the incident. We understand from PowerSchool the email was or will be sent from one of the following similar email addresses: ps-sis-incident@mail.csid.com; ps-sis-incident@mail1.csid.com; or ps-sis-incident@mail2.csid.com.

Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate the identity protection and/or credit monitoring services being offered. The PowerSchool website also includes information in French. For those able to utilize credit monitoring services (anyone age 18 and over), you will be prompted to validate before activating by entering your name and date of birth. Anyone, including those under 18, can utilize the identity protection services. PowerSchool has advised that you can call 833-918-7884 if you have any questions.

We have been informed that PowerSchool has contained the incident and that there is no evidence of malware or continued unauthorized activity in the PowerSchool environment. There have been no operational impacts on ����ֱ�� as a result of this incident.

IMPORTANT: PowerSchool’s notification may indicate that your Social Insurance Number was exposed, but we wish to clarify that this is not the case. Rather, ����ֱ�� stored alternate data in the Social Insurance Number field—specifically the 9-digit Manitoba Education and Training Number (MET), which is a unique student ID that the province creates for each student who enrolls in a Manitoba public school. As noted in our previous correspondence, we can advise that no parent/guardian, staff, or student Social Insurance Number (SIN), banking, or credit card information has been identified as stored in our SIS.

4. Who did this and for what purpose?
This incident occurred at PowerSchool. Unfortunately, organizations across the public and private sectors are increasingly being impacted by incidents like this.

5. How did you respond to the incident?

When we learned of the incident, we conducted an investigation with the assistance of experts and worked diligently to request more details from PowerSchool. We have been assured by PowerSchool that the incident has been contained. We took steps to confirm there was no ongoing threat and to reduce the risk of a similar future threat, including by confirming that PowerSchool: engaged its cybersecurity response protocols, engaged a cybersecurity expert to conduct a forensic investigation, deactivated a compromised account, conducted a full password reset, initiated enhanced processes for access, further strengthened password policies and controls, and notified law enforcement. PowerSchool has also advised that it has taken steps to prevent the information involved from further unauthorized access or misuse, that it does not anticipate the information being shared or made public, and that it believes the information has been deleted without any further replication or dissemination.

PowerSchool has notified Canadian privacy regulators about this incident. (����ֱ�� has already informed the Manitoba Ombudsman.) PowerSchool has or will be notifying individuals by email and we understand the email was or will be sent from one of the following similar email addresses: ps-sis-incident@mail.csid.com; ps-sis-incident@mail1.csid.com; or ps-sis-incident@mail2.csid.com. Whether or not you receive an email, you may also visit to learn how to activate the identity protection and/or credit monitoring services. For those able to utilize credit monitoring services (anyone age 18 and over), you will be prompted to validate before activating by entering your name and date of birth. Anyone, including those under 18, can utilize the identity protection services. PowerSchool has advised that you can call 833-918-7884 if you have any questions.

6. Has the incident been resolved?

We have been informed that PowerSchool has contained the incident and that there is no evidence of malware or continued unauthorized activity in the PowerSchool environment. There have been no operational impacts on ����ֱ�� as a result of this incident.

The response

7. Has law enforcement been notified?

Yes, PowerSchool has advised us that it has notified law enforcement.

8. Has the Manitoba Ombudsman been advised?

Yes, the Manitoba Ombudsman has been advised.

The impact

9. Why did this happen to the ����ֱ��?

PowerSchool is a vendor used by many educational institutions in North America. We are a customer of PowerSchool and, as a result of the incident experienced by PowerSchool, we were impacted. We have no reason to believe that ����ֱ�� was a specific target in this incident.

The data

10. Has information been accessed? Was information from the ����ֱ�� exposed?

You will see that PowerSchool includes in the email a description of some of the information that was potentially involved in the incident. The information involved varies by person.

For students registered in Hanover School division from 2012 – 2024, the information involved will generally be limited to information parents/guardians provided ����ֱ�� upon registration of their child as a student or any subsequent updates to that information. For many students, the information involved was name, date of birth, gender, phone number, address, school email address, MET number, school ID number, and/or enrolment records. For a small number of students, there was also relevant medical information (e.g., allergies) and/or relevant alerts (e.g., related to discipline, guardian, custody, or other issues), as well as the parent/guardian’s name and contact information.

For staff in ����ֱ�� from 2012 – 2024, the information involved was name, phone number, address, school contact information, Professional School Personnel number, and/or school ID number. For a small number of staff, there was also a personal email address.

The email from PowerSchool also refers to Social Insurance Number (SIN) as potentially involved but should also include a statement if there is no evidence that your SIN was involved – please review the email carefully. As we mentioned previously, based on our own investigation of the information stored in our SIS, no parent/guardian, staff, or student SIN, banking, or credit card information was stored in our SIS and thus such information was NOT involved in the incident – the email from PowerSchool should thus say there is no evidence your SIN was involved. PowerSchool has nevertheless offered identity protection and/or credit monitoring to all individuals with any information involved. We encourage you to sign up for the services offered by PowerSchool.