The Ottawa Catholic School Board (OCSB) says a recent data breach of the PowerSchool student information system included data going back more than 25 years.
The breach occurred between Dec. 19 and 23, 2024, and involved “limited student and staff data,” according to the U.S.-based PowerSchool company. School boards in six provinces were affected.
In an email to parents and guardians Tuesday, the OCSB shared a list of what data was and was not affected by the breach. It said the breach affected all current students and any former students who were enrolled during or after the 1998-1999 school year.
“Following the initial email sent to parents and guardians last week, we are providing this update to share additional details regarding the recent data breach involving PowerSchool, our student information system provider. We wish to reiterate that PowerSchool has taken full responsibility for this breach and that it wasn’t as a result of any action or inaction on the part of the OCSB,” the letter said.
“PowerSchool has assured us that the breach has been contained, and the accessed data has been deleted without being shared publicly. They have implemented enhanced security measures to prevent future incidents, including stricter access controls and additional monitoring of their systems. The OCSB continues to collaborate with PowerSchool to ensure the ongoing safety of all data.”
The board says the following information for all students was affected by the breach:
- Name (First, last, legal, and preferred)
- Date of birth
- Address
- Place of birth (country, province)
- Student email address
- Gender
- Grade level
- OCSB student number
- Ontario Education Number (OEN)
Some students' medical information, previous school names and addresses, and assessment notes from the Family Welcome Centre were also affected.
The names and email addresses of the guardians of students registered prior to September 2023 and their emergency contact phone numbers were also breached.
“At this time, there is no evidence that any data has been exposed publicly. If any further actions are required, we will notify all affected individuals and provide clear instructions,” the board said.
The OCSB says the following information was not included in the breach:
- Credit card information
- OHIP information
- SIN numbers
- Student photos
- Student passwords
- Caregiver information (name, address)
- Grades
- Report cards
- Course information
- Course schedules
- Bussing information
- Homeroom assignment/teacher
- Immigration documents
- Permanent Resident number
- Psychological assessments
- IEP/IPRC info
- Suspensions/expulsions
- Disciplinary notes
- Indigenous identification
- Documents that are uploaded in the registration form
- Baptismal status
The board also warned parents and guardians about possible scams related to news about the breach.
“Be wary of emails or messages claiming to offer assistance in deleting or securing your child’s information,” the OCSB said. “We advise you to ignore or report such emails. If you encounter suspicious communications, do not click on any links or provide any personal information. Instead, report spam to the Canadian anti-spam website.”
The public Ottawa-Carleton District School Board said last week it was not affected by the breach. Ottawa’s French public and catholic school boards also confirmed they were not affected.
