PowerSchool Cybersecurity Incident

PowerSchool Cybersecurity Incident

On January 7, 2025, the Provincial Government received notice that PowerSchool had experienced a cybersecurity incident. PowerSchool is a third party which provides a platform used in the provincial K-12 education system, as well as many other jurisdictions.

This page provides key information, Frequently Asked Questions (FAQ), and other resources to help explain what happened

Updates and information will be shared on this page as they become available. Please check back regularly for the most recent developments.

Information on the incident is also available on the PowerSchool website.

 

PowerSchool Cybersecurity Incident Timeline   

December 28, 2024: PowerSchool became aware of a cybersecurity incident and activated its incident‑response protocol, assembling a cross‑functional team and engaging third party cybersecurity specialists to contain the threat and assess the extent of the attack. CrowdStrike, the third‑party cybersecurity firm retained by PowerSchool, led the investigation, and its findings are summarized in the CrowdStrike investigation Report (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

January 7, 2025: The Provincial Government received notice that PowerSchool had experienced a cybersecurity incident and initiated its own incident response for cyber and privacy investigations (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

January 8, 2025: The Provincial Government notified the Office of the Information and Privacy Commissioner about the incident and submitted a formal privacy breach report. It also informed NLSchools, the Conseil Scolaire Francophone Provincial, private schools, Indigenous schools, and the Newfoundland and Labrador Teachers’ Association (NLTA). The Department of Education and Early Childhood Development also issued a memo to NLSchools parents and guardians and a Public Advisory confirming information known at the time. The Minister of the Department of Education and Early Childhood Development also held a media availability (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

January 28, 2025: A Public Advisory was issued by the Department of Education and Early Childhood Development, and NLSchools sent a memo to staff and families outlining the categories of affected individuals and confirming that the Provincial Government was working with PowerSchool on the notification process (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

January 31, 2025 – February 7, 2025: Teachers whose personal information in the breach included their SIN were sent a direct notification letter (by email or mail) from NLSchools. (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

February 4, 2025: A Public Advisory was issued by the Department of Education and Early Childhood Development confirming that credit monitoring and identity protection services, provided by PowerSchool, were now available to affected individuals. It also noted that PowerSchool, through Experian, would be sending direct email notifications to those for whom sufficient contact information was available (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

February 20, 2025: PowerSchool sent an email to students and educators, confirming the name of the impacted person, types of personal information exfiltrated in the breach, and provided details on how to access credit monitoring and identity protection services (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

February 21, 2025: The Department of Education and Early Childhood Development issued a  Public Advisory confirming which email addresses were used to send PowerSchool’s notifications and advising people to check their spam or junk folders, as the message was an official communication from PowerSchool (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

July 25, 2025: Students with an active status, whose personal information taken in the breach also included information assessed as higher risk, were sent direct notification emails from NLSchools to their parents or guardians (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

 

Frequently Asked Questions 

What happened?

On January 7, 2025, Government received notice that PowerSchool had experienced a cybersecurity incident. PowerSchool is a third party which provides a platform used in the provincial K-12 education system. The incident is not specific to Newfoundland and Labrador. PowerSchool notified customers in multiple jurisdictions in North America.

PowerSchool has confirmed that an unauthorized party (threat actor) gained access to certain PowerSchool Student Information System (SIS) customer data using a compromised credential.

PowerSchool has confirmed that only PowerSchool SIS data was accessed and that no other PowerSchool products were affected.

There has been no disruption to the daily operations of schools or classroom instruction.

Was this ransomware?

PowerSchool initially stated that this was not ransomware.  However, PowerSchool paid a ransom after receiving assurances and purported evidence from the threat actor that the stolen data would be destroyed. The Government of Newfoundland and Labrador was not contacted by the threat actor and did not pay any ransom.

When was the Provincial Government made aware?

The Department of Education and Early Childhood Development was notified by PowerSchool on January 7, 2025.

Was this a targeted incident to our province?

No. This incident impacted PowerSchool customers in multiple jurisdictions in North America.

Who is impacted?

Teachers: Data relating to 14, 346 teachers was accessed by the threat actor. The oldest teacher records involved were from 2010.

Students: Data relating to 270, 812 students was accessed by the threat actor. The oldest student records involved were high school students’ information from 1995.  Approximately 75 per cent of the students (198, 808 students) whose data was accessed are no longer in the K-12 system and their accounts were inactive.

What information was accessed?

Teachers: About 70 per cent of the teacher information involved includes some combination of name, email address, and phone number. Sixty Medical Care Plan (MCP) numbers and 730 Social Insurance Numbers (SIN) of teachers were included in the data that was accessed. The Department of Education and Early Childhood Development provided individual notifications to the 730 individuals who had a SIN involved.  There was 1 instance of date of birth identified from an inactive account that had the name and work email information attached.

Students: In addition to the individual’s name, information accessed may have included all or some combination of date of birth, gender, MCP number, contact information, medical alert information, custodial alert information, discipline alert information, parent/guardian contact information, emergency contact information, guardian information, other related information and social insurance numbers.  With respect to potential social insurance numbers, there were 27 instances identified of data that contained 9-digit numbers possibly being a valid social insurance number.

Why were all impacted individuals not directly notified of the breach?

With respect to notification for teachers, all teachers whose SINs were accessed received direct notification. Current teachers were contacted by email. For those teachers no longer employed, written notification was provided by mail.

With respect to students, indirect notifications were sent through news releases and the Department’s website. Following further assessment of the student data, when it was determined that additional high-risk information may have been accessed, direct notification was sent to all current students by email. Students who had left the school system were not directly notified, given that the Department may potentially have outdated contact information and to avoid the potential of a secondary privacy breach.

Has the data accessed been used inappropriately?

PowerSchool paid a ransom after receiving assurances and purported evidence from the threat actor that the stolen data would be destroyed. However, the information was not deleted. On May 7, 2025, PowerSchool reported that school districts were receiving extortion attempts using data taken during the December 2024 privacy breach. Although several school districts in Canada received payment demands in May 2025, the Department confirmed during our Office’s investigation that it found no evidence of similar attempts targeting schools in Newfoundland and Labrador (Office of the Information and Privacy Commissioner Newfoundland and Labrador, 2026).

What support was provided to impacted individuals?

PowerSchool provided credit monitoring services to affected adults and identity protection services to affected minors in accordance with regulatory and contractual requirements.  The enrollment period for the two‑year credit monitoring and identity‑protection services that had been offered to affected individuals has now expired.

What steps are being taken to avoid further incidents?

  • The PowerSchool company’s post‑breach remedial actions focused on: Deactivating the compromised credential and restricting all access to the affected portal; Additional confidential measures that increased security were undertaken.
  • The Department of Education and Early Childhood Development conducted a full password reset and further tightened password and access control for all relevant accounts; Additional confidential measures that increased security were undertaken.
  • The Department of Education and Early Childhood Development and OCIO will be implementing recommendations as per the OIPC report.

What support was provided to impacted individuals?

PowerSchool provided credit monitoring services to affected adults and identity protection services to affected minors in accordance with regulatory and contractual requirements.  The enrollment period for the two‑year credit monitoring and identity‑protection services that had been offered to affected individuals has now expired.

I am a parent or student. How do I change my PowerSchool password?

Instructions on how to change your password are available here.

Was the Rycor payment platform accessed?

The Rycor payment platform is not a PowerSchool product. Information contained in Rycor was not accessed in this cybersecurity incident.

Who can I contact for further information?

Inquiries can be sent to PowerSchoolinfo@gov.nl.ca

If the cybersecurity breach was within the PowerSchool Student Information System, how was some teacher data accessed?

A minimal amount of teacher data is included in PowerSchool’s Student Information System for operational requirements.

Why was student data from 1995 onwards stored in the PowerSchool Student Information System?

PowerSchool is the platform that the Provincial Government uses to store student records for the K-12 school system in Newfoundland and Labrador. The retention of student records is in accordance with the Schools Act, 1997, which establishes legislative requirements guidelines for maintaining educational records. These requirements ensure that student information is retained for necessary administrative, legal, and historical purposes.

I am a former student or my child is currently a student; can my/their student data be removed from PowerSchool?

PowerSchool is the platform that the Provincial Government uses to store student records for the K-12 school system in Newfoundland and Labrador. This data is subject to legislative requirements in accordance with the Schools Act, 1997 and cannot be deleted or removed at this time.

Is the PowerSchool server hosted in Canada?

Yes, the PowerSchool server is hosted in Canada.

 I am concerned that I am a part of a phishing scam. What do I do?

If you believe you have been involved in a scam, report it immediately to the Royal Newfoundland Constabulary at 709-729-8000 or use the online reporting system. Incidents should also be reported to the Canadian Anti-Fraud Centre at 1-888-495-8501.

References:
Office of the Information and Privacy Commissioner Newfoundland and Labrador. (2026). Report P‑2026‑001: Department of Education and Early Childhood Development.