PowerSchool Cyber Incident
PowerSchool CyberSecurity Incident
We will share new information from PowerSchool as it becomes available.
Update: January 10, 2025
Powerschool has informed impacted district IT teams the numbers of individuals impacted by the cyber incident could/would include inactive students and their inactive contacts from the present through years past. For USDB, that may include data from USDB’s adoption of PowerSchool from 2017 to the present.
Update: January 9, 2025
What happened?
On Tuesday, January 7, PowerSchool, our student information system provider, informed us of cybersecurity incident on their systems that may have affected all PowerSchool customers. Utah Schools for the Deaf and the Blind (USDB) uses PowerSchool student information system to store education records about district students.
January 8, we attended a webinar with PowerSchool and confirmed that our system was affected. It appears that unauthorized access was gained to our student information system. USDB notified parents/guardians, staff, the Utah State Board of Education, and the USDB Advisory Council that same date.
This breach involves PowerSchool’s systems and platforms, and is not the result of USDB’s systems and security procedures.
What was affected?
While we are still assessing the full extent of the breach, we believe the intruders accessed both student and teacher data. The teacher data includes basic information like ID, name, email, and title. The student data includes demographic details such as:
- student ID
- Utah state student ID
- name
- birthdate
- current school ID
- current school enrollment dates
- grade
- locker number
- locker combination
- current lunch balance
- home and mailing address
- guardian name and contact information
- emergency contact information
- free and reduced meal status
- medical alerts
Social security numbers were not involved and USDB does not store any social security numbers in PowerSchool.
What we are doing?
USDB IT staff have confirmed that the threat has been contained, and the intruder no longer has access to our system.
PowerSchool is working with cybersecurity experts from CrowdStrike to investigate further. We expect to have more information over the next two weeks and will provide updates if and when we receive additional information.
PowerSchool will be providing credit/identity monitoring services to affected individuals.
At this time, we do not believe any other systems within USDB were affected.
Information shared by PowerSchool January 8, 2025
The education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.
PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that supports over 60 million students and over 18,000 customers worldwide. The company offers a full range of services to help school districts operate, including platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.
While the company’s products are mostly known by school districts and their staff, PowerSchool also operates Naviance, a platform used by many K-12 districts in the US to offer personalized college, career, and life readiness planning tools to students.
Targeted in data-theft attacks
In a cybersecurity incident notification sent to customers Tuesday afternoon and obtained by BleepingComputer, PowerSchool says they first became aware of the breach on December 28, 2024, after PowerSchool SIS customer information was stolen through its PowerSource customer support platform.
PowerSchool SIS is a student information system (SIS) used to manage student records, grades, attendance, enrollment, and more.
“As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024 PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource,” reads a notification shared with BleepingComputer.
After investigating the incident, it was determined that the threat actor gained access to the portal using compromised credentials and stole data using an “export data manager” customer support tool.
“The unauthorized party was able to use a compromised credential to access one of our community-focused customer support portals called PowerSource,” PowerSchool told BleepingComputer in a statement.
“PowerSource contains a maintenance access tool that allows PowerSchool engineers to access Customer SIS instances for ongoing support and to troubleshoot performance issues.”
Using this tool, the attacker exported the PowerSchool SIS ‘Students’ and ‘Teachers’ database tables to a CSV file, which was then stolen.
PowerSchool has confirmed that the stolen data primarily contains contact details such as names and addresses. However, for some districts, it could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades.
A PowerSchool spokesperson told BleepingComputer that customer tickets, customer credentials, or forum data were not exposed or exfiltrated in the breach.
The company also stressed that not all PowerSchool SIS customers were impacted and that they anticipate only a subset of customers will have to issue notifications.
In response to the incident, the company engaged with third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the incident.
This includes rotating the passwords for all PowerSource customer support portal accounts and implementing tighter password policies.
In an unusually transparent FAQ only accessible to customers, PowerSchool also confirmed that this was not a ransomware attack but that they did pay a ransom to prevent the data from being released.
“PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors,” reads an FAQ seen by BleepingComputer.
“With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”
When asked how much was paid to the threat actors, BleepingComputer was told, “Given the sensitive nature of our investigation, we are unable to provide information on certain specifics.”
While the company said they received a video showing that the data was deleted, as with all data extortion attacks, there is never a hundred percent guarantee that it was.
The company is now continuously monitoring the dark web to determine if the data has been leaked or will be leaked in the future.
For those impacted, PowerSchool is offering credit monitoring services to impacted adults and identity protection services for impacted minors.
PowerSchool says its operations remain unaffected, and services continue as usual despite the breach.
The company is now notifying impacted school districts and will be providing a communications package in the coming days that includes outreach emails, talking points, and FAQs to help inform teachers and families about the incident.
While PowerSchool says that not all of these fields may be populated by data, the stolen data could include sensitive information for minors, such as names, addresses, phone numbers, Social Security Numbers, grade point averages, bus stops, passwords, notes, alerts, student IDs, parent information, and medical information.
For teachers, the data could include their names, addresses, phone numbers, Social Security Numbers, and passwords.
The investigation is ongoing, with cybersecurity firm CrowdStrike expected to release a finalized report by January 17, 2025.
PowerSchool says they are committed to transparency and will share the report with affected school districts when it is ready.
Impacted school districts
After the security incident was disclosed by PowerSchool, school districts have begun notifying parents and students about the breach.
Below is a list of school districts that have disclosed being impacted by the PowerSchool breach so far, the list is being updated continuously:
-
- Alabama School Districts
- Etowah County School District in Alabama
- San Diego Unified School District in California*
- North Branford Public Schools Community in Connecticut*
- Region 1 School District in Connecticut
- Colchester School District in Connecticut*
- Brownsburg Community Schools in Indiana *
- Ascension Parish Public Schools in Louisiana
- St. Charles Parish Public Schools in Louisiana
- Pittsfield Public Schools in Massachusetts
- Bessemer Area Schools in Michigan
- SAU 21 in New Hampshire
- North Carolina School Districts
- Fairmount Public Schools in North Dakota
- North Border School District in North Dakota
- Lower Merion School District (LMSD) in Pennsylvania
- Oxford Area School District in Pennsylvania
- Cache County School District and Utah Schools for the Deaf and the Blind in Utah
- Colchester School District in Vermont
- Sturgeon Bay Schools in Wisconsin