Skip To Main Content

Power School Data Breach Notification

Power School Data Breach Notification

As we previously communicated, PowerSchool – a cloud-based software vendor used by D103 – recently experienced a cybersecurity incident involving unauthorized access to certain information in the PowerSchool Student Information System (SIS).

We are reaching out to share more information and next steps that we recently received directly from PowerSchool:

  • Identity Protection and Credit Monitoring Services: PowerSchool has engaged Experian, a trusted credit reporting agency, to offer two years of complimentary identity protection services for all students and educators whose information from our PowerSchool SIS was involved. This offer will also include two years of complimentary credit monitoring services for all adult students and educators whose information was involved.
  • Notification to Individuals Involved: Starting in the next few weeks, in collaboration with Experian, PowerSchool will provide notice to students (or their parents / guardians if the student is under 18) and educators whose information was involved, as well as a phone number to answer any questions you may have about the incident. The notice will include the identity protection and credit monitoring services offer (as applicable).
  • As soon as PowerSchool learned of the incident, they engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. PowerSchool is not aware of any identity theft attributable to this incident.

In the meantime, I encourage you to visit the PowerSchool website for up-to-date information on the cybersecurity incident. We care deeply about the welfare of our families and will continue to do everything we can to support you. Thank you for the important role you play in our community and your shared commitment to putting our students first.

Background

On the afternoon of Tuesday, January 7, 2025, our school district was informed by PowerSchool of a recent data breach within the PowerSchool Student Information System (PowerSchool SIS). This breach has had a global impact on its customers, including our district. I am writing to share the information we have at this time, and outline the next steps in our response.

We understand that situations like this can be deeply unsettling, as the privacy and security of personal information are matters of great concern. Please know that we are working with PowerSchool to better understand the scope of the breach and to ensure that appropriate measures are taken to safeguard the information. We will keep you informed of developments as they become available from PowerSchool. 

 Description of the Data Breach

On December 28, 2024, PowerSchool discovered that a threat actor (the person or group that caused the breach) had accessed personal employee and student information from customers worldwide using the PowerSchool Student Information System (PowerSchool SIS). The threat actor exploited the user account of a PowerSchool technical support employee, allowing rapid access to and download of records from an unknown number of schools and districts worldwide between December 19 and December 23, 2024.

Using instructions provided by PowerSchool, D103’s Technology Team identified that portions of approximately 6,754 current and former student, and 1,778 employee records were accessed, including information such as:

Students

  • Student names and ID numbers
  • Home Address
  • Date of Birth
  • Parent/guardian contact information
  • Dates of enrollment and withdrawal reasons
  • Limited medical alert information (e.g., allergies, life-threatening conditions)
  • Whether or not a student has an IEP or 504, but not the actual information from the IEP or 504
  • Free and reduced lunch status

Employees

  • Employee names and ID numbers
  • Department
  • Employee type
  • School email address (and some personal)
  • Home Address
  • School and home phone number

Although PowerSchool has assured us that they have received reasonable assurances that the compromised data has been deleted and that no additional copies exist, we remain vigilant and are leveraging all available resources to thoroughly assess the situation and strengthen the protection of our systems.

District 103 Data Security Measures

Our school district takes data security very seriously and has several robust measures in place to safeguard our systems:

  • Privacy Laws: D103 carefully follows all privacy law in order to protect the privacy and data of our stakeholders. Such laws include FERPA, COPPA, and SOPPA.
  • Two-Factor Authentication: All employee users must verify their identity with a second factor, such as a security key or text message authentication, in addition to their password.
  • Automated Access Management: Our PowerSchool server integrates with our Google domain to automatically remove access for employees who leave the organization or change positions.
  • Best Practices: We follow security best practices, including enforcing security updates, regular training for our staff, and system monitoring to prevent unauthorized access.
  • Regular Cybersecurity Audits: With the help of multiple consultants and agencies, we conduct yearly audits of our cybersecurity posture to look for opportunities to strengthen our defenses.

Next Steps in Response to the Data Breach

The Technology Team continues to review data, validate system configurations and assess any additional actions that may be necessary. We are collaborating closely with other impacted school districts and leveraging our membership in both statewide and national educational technology organizations to ensure we have taken every possible step in responding to the data breach.

PowerSchool has provided the next steps it is taking in response to this incident:

  • PowerSchool has engaged CrowdStrike, a third-party, cybersecurity firm, to investigate the breach. Their final forensic report is anticipated to be released at the end of next week and will provide a clearer understanding of the incident and its potential impact.
  • PowerSchool has implemented additional information security best practices requiring updated credentials for all employees, and restricting access to their support system tools. 

In accordance with the Student Online Personal Protection Act (SOPPA), D103 has prepared additional contact information for the FTC and credit agencies.

We will continue to keep our community informed as we learn more about this incident from PowerSchool. If you have any questions regarding this incident, please utilize this online form.