PowerSchool Cybersecurity Event

The Government of Prince Edward Island is informing students, parents, guardians, teachers, and school administration that some of their personal information may have been part of PowerSchool’s recent North American cybersecurity incident.

What happened?

On January 7, 2025, PowerSchool, a third-party platform used by many education systems including PEI, advised the Government of Prince Edward Island that personal data of past and present Island school members may have been compromised.

Who is impacted?

The investigation has identified two groups of affected individuals. If you fall into either of these groups, some personal information was likely exposed, and you are likely considered an affected individual:

1. Any student at any K-12 school in Prince Edward Island from 2003 to 2024, as well as students pre-registered for kindergarten in 2025.
2. Any PSB, CSLF or Department of Education staff member between 2020 and 2024 who had a access to PowerSchool via the admin or teacher portal, or who received email, text or voice broadcasts via SchoolMessenger. This includes current and former teachers, administrative assistants, bus drivers, and youth service workers, but does not include educational assistants.

Data relating to approximately 70,000 students was accessed with the oldest student records involved from 2003. Approximately 67% per cent of the students whose data was accessed are no longer in the K-12 system.

How do I confirm I was affected and review my exposed information?

If you have received an email notification from PowerSchool or the Department of Education and Early Years, then you have been identified as being affected by the PowerSchool cybersecurity event.

If you have not received an email notification from PowerSchool or the Department of Education and Early  Years, and would like to confirm if you were affected, if you have questions about this incident or if you would like a copy of your or your child’s breached personal information, please contact administration at the Department of Education and Early Years at (902) 438-4130 or depteey@gov.pe.ca. For the safety of affected individuals, you will be required to verify your identity before the breached information is provided to you.

You may access details of the breached information in two pre-arranged ways. Pre-arrangements must be made by contacting the above phone number or email. Options for affected individual or their parents/guardians are:

1. Pre-arranged pick up a printed package at one of our designated locations. Valid identification must be presented at the time of pick up.
2. Electronic delivery of a PDF. Individuals must join a video call (Teams/Zoom) to present valid identification before receiving the information.

Please contact us if you require accommodation to access your information.

For current employees only: To request a summary of your breached information, email depteey@gov.pe.ca directly from your government email address (must be an @gov.pe.ca, @edu.pe.ca or @ihis.org email). No additional identity verification will be required.

What is considered valid identification?

The identification needs to be issued by a federal, provincial or territorial government and needs to be valid, not expired. To be considered acceptable, the valid identification needs to include your: name; date of birth; photo; signature.

Valid acceptable identification includes but is not limited to:

• Secure Certificate of Indian Status (secure status card)
• Certificate of Indian Status (status card)
• Passport
• Driver's license
• Canadian military identification card
• Government-issued identification card

If you don’t have any one piece of identification that meets all the requirements, you can present multiple forms that, when combined, include all the information required.

Is PowerSchool providing credit monitoring/identity theft protection for affected individuals?

Yes, PowerSchool has agreed to provide two (2) years of credit monitoring services to affected individuals over the age of 18 and two (2) years of identity protection services to all affect individuals of any age. You can find out more about this offer and how to sign up for these services on PowerSchool’s Notice of Data Breach website at: https://www.powerschool.com/security/sis-incident/notice-of-canada-data-...

These services are available at no charge to all affected individuals, regardless of what type of information was exposed in your case. Please be aware that there is a deadline of July 31, 2025 to sign up for these services.

The Province has been advised that beginning February 20, PowerSchool has begun notifying impacted school community members on how to access these services. If you have received an email from ps-sis-incident@mail.csid.com, ps-sis-incident@mail1.csid.com, or ps-sis-incident@mail2.csid.com, it is legitimate and contains instructions on how to access these free services.

If you have any questions or concerns about this notice, please call 833-918-7884, Monday through Friday, 8:00 am through 8:00 pm Central Time (excluding major US holidays). Please be prepared to provide engagement number B138905. PowerSchool has advised that they will never contact you by phone or email to request your personal or account information.

What if I have not received a notification email?

PowerSchool and the Department of Education and Early Years have taken steps to notify all affected individuals of the incident and their respective responses to it. If you believe you may be an affected individual but have not received an email notification directly, it is most likely because your contact information was not available or up-to-date. In some cases, an email could also have gone undelivered or been caught by your spam filter. If you fall into one of the groups of students or staff described above, you should assume you are affected even if you do not receive an email notification.

Whether or not you receive an email notification, you can:

• Review the contents of this page to learn about the breach, how it might impact you, and what you can do;
• Contact the Department of Education and Early Years to confirm if you were affected and review your information (note that you will need to verify your identity before any information can be shared);
• Review PowerSchool’s Notice of Breach site and their offer for credit monitoring and identity protection services, and sign up for those services if you are interested and eligible.

What information may have been compromised?

Personal information that may have been accessed includes:

Students:

• First, Middle & Last Names
• Date of Birth
• Gender
• Grade Level and School Information
• Start/End Date as a Student
• Medical Information (e.g., allergies, conditions, injuries)
• Home and Mailing Addresses
• Home Phone Numbers
• Key points about discipline issues (e.g., suspensions, behavioral strategies)
• Custody arrangements

Staff:

• First, Middle & Last Names
• Employee IDs and Job Titles
• School Names
• Email Addresses

In a small number of cases (<10%), the information accessed includes:

• Home Addresses
• Home Phone Numbers
• Dates of transfers between schools, extended leaves, or retirements

Were social insurance numbers (SIN) or banking information accessed?

No, PEI education authorities do not store any SINs, financial, or banking information in the PowerSchool Student Information System.

Was my medical information affected?

If you provided medical information to PSB or CSLF to document an allergy, illness, or condition, your medical information would be included in PowerSchool’s cybersecurity event. Provincial Health Numbers (PHNs) are not stored in PowerSchool, and so were not affected by this incident.

Why do education authorities keep the records of former students?

Provincial regulations require student records be kept for 73 years from the student’s date of birth. This historical student information is stored in PowerSchool’s Student Information System to respond to requests for former student records (transcripts) and proof-of-enrollment letters.

What steps have been taken to protect privacy?

PowerSchool has taken several steps in response to the incident, including:

• Changing the passwords for all their staff who access the platform
• Increasing the password strength requirements of PowerSchool staff passwords
• Disabling PowerSchool’s ability to connect to PEI’s PowerSchool servers for support purposes
• Contacting law enforcement
• Bringing in two security companies to assist with responding to the breach

Is this cybersecurity event ongoing?

PowerSchool has advised the Province that they have contained this incident and have implemented enhanced internal controls to secure their system, including deactivating the compromised credentials. PowerSchool has also confirmed that there is no evidence of continued unauthorized activity.

The platform remains operational across the Island school system.

Who has been notified of the PowerSchool cybersecurity event?

Beginning March 25, 2025, we will start sending additional notifications to impacted individuals who had sensitive information exposed.

The Province issued a news release to advise all residents that PEI is among those affected by PowerSchool’s North American security incident. Further notices will be issued as information becomes available.

• February 21, 2025
• January 31, 2025
• January 09, 2025

Education partners that include the school authorities, unions, and the PEI Home and School Federation, have been notified and will be kept up to date with the latest information.

The Office of the Information and Privacy Commissioner (OIPC) was informed of this event on January 7, 2025. This office will continue to be kept updated on the provincial response. If you have concerns about the response, you may contact the OIPC by phone at 902-368-4099.

Who has been part of the provincial response team?

• The Department of Education and Early Years
• The Department of Finance
• PEI’s Access and Privacy Services Office
• Public Schools Branch
• La Commission scolaire de langue française
• PowerSchool

Who can I contact for more information?

Anyone with questions or concerns regarding this incident can contact the Department of Education and Early Years by email at depteey@gov.pe.ca while a dedicated phone number is made available.

How can you protect yourself and your family from phishing and online threats?

• Be cautious of unsolicited emails, messages, or phone calls:
  • Phishing attempts often come in the form of emails, texts, or calls pretending to be from a trusted source, like a bank or government agency.
  • Look for red flags like urgent language ("Your account has been compromised!"), spelling errors, or suspicious links.  If you were expecting the email, be cautious.
  • Verify the official email address of the person or company that has contacted you by calling them or going to their official website and checking their Contact Us information.
• Verify sources:
  • Never click on links or download attachments from unknown sources.
  • Instead of clicking on an email link, manually type the official website address into the browser to check for any updates or requests.
  • Contact the company directly using verified contact info (e.g., the phone number on their official website) if you're unsure about communication.
• Educate children about online safety:
  • Teach your kids not to share personal information (name, address, passwords, etc.) online, especially with strangers.
  • Explain the importance of only interacting with trusted websites and people.
• Monitor online activity:
  • Use parental control tools to track your children's online activities and set up alerts for unfamiliar transactions or activities.
  • Keep an eye on your child's social media profiles to ensure they aren't sharing too much personal information.
• Enable multi-factor authentication (MFA):
  • For accounts that allow it, set up two-factor authentication to add an extra layer of security.
• Use strong, unique passwords:
  • Encourage using complex passwords (at least 12 characters, with a mix of letters, numbers, and symbols),
  • Avoid reusing passwords across multiple sites
  • Update your passwords regularly (i.e. every 45 days)
  • Consider using a password manager to keep track of passwords securely.
• Monitor financial statements:
  • Regularly check bank statements, credit card bills, and credit reports for any unauthorized charges or accounts.
  • Set up alerts for transactions to quickly notice any unusual activity.
• Be aware of fake websites:
  • Look for "https" and a padlock icon in the browser’s address bar when entering sensitive information (such as payment details).
  • Double-check the website’s domain name to ensure it’s legitimate (e.g., avoid sites with strange or misspelled URLs).
• Avoid public Wi-Fi for sensitive transactions:
  • Avoid making online purchases or entering personal information while connected to public Wi-Fi, which may not be secure.
• Keep software updated:
  • Ensure that your device’s operating system and apps are regularly updated to fix vulnerabilities that could be exploited by hackers.
• Shred sensitive documents:
  • Shred any physical documents containing personal information (such as social security numbers, bank statements, etc.) to prevent identity theft through paper copies.

The above are good practices at anytime. For additional information on how to protect your family online, visit the Federal Government website, www.GetCyberSafe.ca