PowerSchool Cybersecurity Event (Updated: May 5, 2025)

Updated: May 5, 2025

We are writing with an update on the PowerSchool cybersecurity incident. In our previous updates PowerSchool Cybersecurity Event (www.bsd.ca) about the incident, we mentioned that PowerSchool would be sending emails to students, parents/guardians, and educators whose information was involved in the incident. We understand that members of the Brandon School Division community have now received this email from PowerSchool and others may receive it in the coming days. 

We understand from PowerSchool that the email was or will be sent from one of the following similar email addresses: ps-sis-incident@mail.csid.com; ps-sis-incident@mail1.csid.com; or ps-sis-incident@mail2.csid.com. If you receive or have received an email from any one of these email addresses with the subject line “PowerSchool Cybersecurity Incident”, we have been assured by PowerSchool that it is a legitimate email. The email includes information about how to activate the 2 years of identity protection and/or credit monitoring services offered. Please find attached an example of what the email from PowerSchool looks like, although there may be differences between it and the one you receive. 

Whether or not you received the email from PowerSchool, you may also visit PowerSchool’s website to learn how to activate the identity protection and/or credit monitoring services. For those able to utilize credit monitoring services (anyone age 18 and over), you will be prompted to validate before activating by entering your name and date of birth. Anyone, including those under 18, can utilize the identity protection services. PowerSchool has advised that you can call 833-918-7884 if you have any questions.

Please review the email from PowerSchool carefully. It includes details about the incident and the information identified by PowerSchool as involved. In the email, PowerSchool explains that, on December 28, 2024, it became aware that it experienced a cybersecurity incident involving unauthorized access to and exfiltration (acquisition) of certain personal information from PowerSchool Student Information System (SIS) environments. This occurred between around December 19 and December 28, 2024. PowerSchool also advised us that it has taken steps to prevent the information involved from further unauthorized access or misuse, that it does not anticipate the information being shared or made public, and that it believes the information has been deleted without any further replication or dissemination. Like many school institutions across North America, we use PowerSchool for our SIS and thus were informed by PowerSchool that information stored by Brandon School Division in our SIS was involved in the incident.

You will see that PowerSchool includes in the email a description of some of the information that was potentially involved in the incident. The information involved varies by person. 

For students, the information involved will generally be limited to information parents/guardians provided Brandon School Division upon registration of their child as a student or any subsequent updates to that information. For many students, the information involved was name, date of birth, gender, ethnicity, phone number, address, MET number, school ID number, and/or enrolment/registration records as well as the parent/guardian’s name and phone number. For a small number of students, there was also Personal Health Information Number, relevant medical information (e.g., allergies), and/or relevant alerts (e.g., related to discipline, guardian, custody, or other issues).

For staff, the information involved was name, school contact information, and/or school ID number.

The email from PowerSchool also refers to Social Insurance Number (SIN) as potentially involved but should also include a statement if there is no evidence that your SIN was involved – please review the email carefully. As we mentioned previously, based on our own investigation of the information stored in our SIS, no parent/guardian, staff, or student SIN, banking, or credit card information was stored in our SIS and thus such information was NOT involved in the incident – the email from PowerSchool should thus say there is no evidence your SIN was involved. PowerSchool has nevertheless offered identity protection and/or credit monitoring to all individuals with any information involved. We encourage you to sign up for the services offered by PowerSchool.

When we learned of the incident, we conducted an investigation with the assistance of experts and worked diligently to request details from PowerSchool. We also worked with other school divisions in Manitoba that are similarly impacted. We have been assured by PowerSchool that the incident has been contained. We took steps to confirm there was no ongoing threat and to reduce the risk of a similar future threat, including by confirming that PowerSchool: engaged its cybersecurity response protocols, engaged a cybersecurity expert to conduct a forensic investigation, deactivated a compromised account, conducted a full password reset, initiated enhanced processes for access, further strengthened password policies and controls, and notified law enforcement. We have also informed the Manitoba Ombudsman of the incident and have attached additional information about steps you can take to help protect personal information.

Please find attached answers to some questions you may have. If you have any additional questions, they can be directed to Denis Labossiere, Secretary-Treasurer, at info@bsd.ca. 

In Brandon School Division, we take cybersecurity and protecting information seriously. We sincerely regret that this incident occurred and thank you for your continued understanding.

BRANDON SCHOOL DIVISION
1031 – 6^th Street | Brandon, MB | R7A 4K5
Web: www.bsd.ca | Email:  info@bsd.ca