Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Letter of Commitment to the Office of the Privacy Commissioner of Canada (“OPC”)

By PowerSchool Holdings, Inc. (“PowerSchool”)

General Terms

  1. The Privacy Commissioner of Canada (“the Commissioner”) oversees compliance with the Personal Information Protection and Electronic Documents Act (“the Act”), which governs the collection, use or disclosure of personal information by private-sector organizations in the course of commercial activities.
  2. PowerSchool has agreed to fulfil the commitments set out in this Letter of Commitment (“Letter”) at the request of the Commissioner in which PowerSchool confirms actions that it has taken to safeguard the information since the cyberattack on PowerSchool that occurred in December 2024 (“the Cyberattack”), and commits to provide additional information and to perform certain additional tasks in relation to the Cyberattack.
  3. Upon PowerSchool signing this Letter, complaints received by the Commissioner relating to the breach of PowerSchool’s security safeguards will be discontinued in accordance with paragraph 12.2(1)(c) of PIPEDA, as PowerSchool having provided a fair and reasonable response to the complaint. The Commissioner retains discretion to initiate a complaint under subsection 11(2) of PIPEDA should PowerSchool not fulfil the commitments set out in Parts I to III of this Letter by March 31, 2026, or if new privacy concerns are brought to the Commissioner’s attention in relation to this matter.
  4. The Commissioner may request information and documents from PowerSchool for the purpose of verifying that PowerSchool is fulfilling the commitments it made in this Letter.
  5. The Commissioner may seek further commitments from PowerSchool following review of any additional information that he receives on the matter.
  6. This Letter, or part thereof, may be disclosed or made public by the Commissioner under s. 20 of the Act.
  7. For greater certainty, and noting that the Commissioner takes the position that PIPEDA applies, nothing in this Letter shall prevent or otherwise limit the Commissioner from exercising or performing any of his powers and duties under the Act.
  8. The personal information involved in the incident that took place in December 2024 described below may be subject to privacy legislation in other jurisdictions, and nothing in this Letter shall prevent or otherwise limit other privacy authorities from exercising or performing any of their powers and duties under their applicable legislation.
  9. This Letter is not intended as, or to be construed as, an admission of liability or wrongdoing by PowerSchool.

Incident Overview

On January 27, 2025, PowerSchool reported a breach of its security safeguards to the Office of the Privacy Commissioner (“OPC”), which affected the personal information of millions of individuals in Canada.

The facts of the breach as they are known on the date of signature of this Letter and as confirmed by PowerSchool are as follows:

  • Using a contractor’s compromised credentials, a threat actor gained unauthorized access to PowerSource and subsequently to the Student Information Systems (the “SIS”) environments of PowerSchool clients (including schools, school boards, and school districts). The threat actor exfiltrated data from SIS environments, including the personal information of current and former students, current and former educators, and parents, across several provinces and territories. The threat actor gained unauthorized access to PowerSource using the compromised account between December 19 and December 28, 2024. PowerSchool also confirmed that an unknown actor had accessed PowerSource using the compromised support credentials in August 2024.
  • The personal information that was compromised for affected individuals includes a varying combination of name, contact information, date of birth, and, for a subset of individuals, medical alert information, Social Insurance Number (SIN), and other information that clients may have stored in their SIS.
  • In January and February 2025, PowerSchool notified affected clients (schools, school boards, and school districts) and also directly and indirectly notified Canadians affected by the breach in cases where they were authorized by the schools, school boards or school districts. The indirect notification was done through the addition of new web content specific to the incident which included the notification requirement, and the information was promoted via media releases.
  • PowerSchool has confirmed it is offering two years of identity protection services to affected students and educators under the age of majority, and two years of credit monitoring services to affected students and educators over the age of majority. PowerSchool is offering these services to affected individuals, regardless of whether their SIN was involved.
  • PowerSchool, through counsel, hired the cyber security firm, CrowdStrike Holdings, Inc. (“CrowdStrike”) to complete a forensic investigation. On February 28, 2025, CrowdStrike submitted a report of its forensic investigation of the breach to PowerSchool and PowerSchool subsequently shared it with the OPC. This report is publicly available on PowerSchool’s website.
  • Following the breach, to ensure that the impacted environment was secured, PowerSchool took several steps including deactivating the compromised credential, enforcing a full password reset for employees and contractors, restricting access to and tightening password and access controls for the affected customer support portal, and requiring the use of the company’s VPN (which itself requires single sign-on and multi-factor authentication) to access the PowerSource customer support platform environment.

The OPC acknowledges that PowerSchool took measures to contain the breach, notified affected parties and offered credit protection.

As part of this Letter of Commitment, PowerSchool voluntarily commits to the additional actions set out below to support its security safeguards and measures, continue addressing this breach, and preventing future breaches. PowerSchool recognizes and is of the position that clients affected by the breach may themselves be subject to breach reporting requirements under provincial/territorial privacy legislation or regulations.

Commitments

I. Safeguards

  1. By July 31, 2025, PowerSchool will confirm to the Commissioner whether it has contracted and/or will receive any additional forensic information or recommendation(s) about the incident from CrowdStrike or other forensic investigative entities other than those already included in the March 2025 report, and if so, will provide a copy of the information.
  2. By July 31, 2025, PowerSchool will confirm to the Commissioner whether it plans to implement any additional authentication process for the PowerSource platform and provide details explaining the additional measures including dates of implementation. Should PowerSchool choose to not implement an additional authentication process, it will provide to the Commissioner a detailed explanation.
  3. By December 31, 2025, PowerSchool will provide the Commissioner evidence that will clearly demonstrate that 1) it has strengthened its monitoring and detection tools and 2) its tools can identify patterns of irregular activity.
  4. By December 31, 2025, PowerSchool will provide the Commissioner evidence that will clearly demonstrate that it has conducted a review and readjustment of its system access privileges to align with security best practices and operational needs, including customer support agents.

II. Breach Reporting

In addition to any obligations imposed by other authorities, legislation and/or contractual arrangements, PowerSchool will continue to fulfill any applicable contractual obligations to its clients to provide information about the breach and aftermaths so that they can understand the circumstances of the breach, assess the risk of harm to affected individuals, and carry out their breach reporting and notification obligations under applicable privacy legislation.

III. Other

  1. By March 31, 2026, PowerSchool will provide the Commissioner with information demonstrating that it has obtained recertification of ISO/IEC 27001 compliance.
  2. By March 31, 2026, PowerSchool will provide the Commissioner with a security assessment and report conducted by an accredited and independent external security assessment firm that assesses PowerSchool’s updated information security safeguards, which will include at a minimum:
    1. an assessment of the effectiveness of PowerSchool’s safeguards to protect personal information;
    2. an assessment of PowerSchool’s ability to prevent, detect, and respond to potential breaches;
    3. the identification of any internal and external risks that could potentially affect personal information; and
    4. solutions to address those risks.
  3. If the security assessment firm issues recommendations to PowerSchool in the context of the assessment, PowerSchool will provide a copy of the recommendations and inform the Commissioner of the following:
    1. whether PowerSchool has accepted each of the recommendations;
    2. if not, the reason why; and
    3. if accepted,
  4. whether the recommendation has been fully implemented and actions taken by PowerSchool to implement the recommendation, and if not yet fully implemented, PowerSchool will provide to the Commissioner an implementation plan, detailing the actions PowerSchool will take to implement the recommendations and dates by which these actions will be completed. The recommendations (or lack thereof) and their implementation will be subject to review and approval by the Commissioner.

Signature

PowerSchool enters into these commitments voluntarily. PowerSchool does not waive, and explicitly reserves, all arguments regarding PowerSchool’s position on the application of PIPEDA and the extent of the Commissioner’s jurisdiction over PowerSchool.

Upon signing this Letter, PowerSchool commits to the terms set out therein.

Signed at Folsum, in the State of California, this 15th day of July 2025.

Date modified: