PowerSchool Data Breach Resources
PowerSchool informed SCESD of a data breach of its Student Information System (SIS) that impacted current and former students and staff who had records in that system.
PowerSchool is a "legacy" vendor, in that it maintains records from students and staff prior to June 2021. The District no longer uses PowerSchool, but we are required to maintain the data that was collected by PowerSchool.
This data breach does not impact you if your child(ren) enrolled in, or if you became a staff member of the District after June 2021.
SCESD has been focused on learning as much about the breach and its implications for our current and former staff and students. This page is dedicated to providing comprehensive and transparent communications to our community.
In the tabs below, you will find our Frequently Asked Questions (FAQ), as well as the steps PowerSchool will take to remediate the breach and the services they will provide.
The District takes the protection of your personal information seriously, and we will continue to work closely with PowerSchool to ensure the safety of your data. Thank you for your patience and understanding as we navigate this issue.
Frequently Asked Questions
What is PowerSchool?
PowerSchool provides cloud-based software to K-12 schools, including PowerSchool Student Information System (SIS), which serves as a database for student records, among other uses. PowerSchool provides these products to more than 16,000 customers, largely K-12 schools, that serve 50 million students in the United States. PowerSchool, however, has not yet revealed the number of customers affected by the incident “due to the sensitive nature of [their] investigation.”
Schools use Student Information Systems (SIS) for many reasons, including to be able to quickly and easily contact families if the need arises, to be aware of each student's unique needs and give teachers and other staff insight into how to best meet those needs, to store grades, to monitor attendance, and so on. In addition, SIS like PowerSchool provide districts with the ability to meet annual state reporting mandates.
SCESD transitioned to another SIS provider in 2021. Legacy data from District students and staff is maintained on PowerSchool servers.
What are the details of the incident?
In late December, PowerSchool became aware of unauthorized access to information through its customer support portal, PowerSource. Their subsequent investigation revealed that an unauthorized party gained access to certain PowerSchool SIS customer data using a compromised credential. This credential, which was tied to a maintenance account, gave the hackers deep access to many PowerSchool customers’ data.
How did PowerSchool respond to the data breach?
PowerSchool immediately engaged its cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. They are working to complete their investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services, if applicable) as they become available.
On January 7, 2025, PowerSchool communicated this incident to the PowerSchool SIS customers affected by this incident.
Are SCESD practices responsible for the data breach?
No. SCESD is one of potentially up to 16,000 customers victimized by the exploitation of a vulnerability in PowerSchool’s systems. PowerSchool SIS is cloud-hosted, and the responsibility of PowerSchool to maintain and secure.
When did SCESD learn of the incident, and how did it respond?
PowerSchool notified the District of the data breach on January 7, 2025. We then reviewed our PowerSchool logs and confirmed that our data was accessed by the compromised credentials that PowerSchool identified. Between then and now, the District's IT team has been gathering further information from PowerSchool, and awaiting direction on how they intend to assist customers.
Who breached PowerSchool and accessed the data?
The threat actor who accessed the data has not been named. The IP address that was recorded points to someone in Ukraine; however, this is not definitive, and an IP address can easily be fabricated.
What student data from SCESD was accessed, and who does it impact?
Students enrolled from 2006-2021 had their data accessed. The data accessed included personally identifiable information (PII), which included the following: student demographics, parent and emergency contact information, home phone and address, medical alerts, and enrollment information. Additionally, 319 previously enrolled students who were born between Dec. 5, 2002 and Jan. 29, 2004, had their social security numbers accessed.
What employee data from SCESD was accessed, and who does it impact?
Employees of the SCESD employed before July 1, 2021, had their data accessed. The data accessed included personally identifiable information (PII), which included the following: employee first name, employee last name, work email address, and ethnicity. Additionally, the home phone number and home address were accessed for a small number of employees (less than 20, most are whom are no longer employed by the District).
Why does PowerSchool not anticipate the data will be shared or made public and that it has been deleted without any further replication or dissemination, and what additional steps will PowerSchool be taking to ensure this?
PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors. This implies that the party responsible for accessing the data demanded a ransom from PowerSchool and that, working through CyberSteward, PowerSchool paid the ransom and received reasonable assurances (i.e., video confirmation) that the data was deleted. PowerSchool will engage consultants to monitor the Dark Web for the impacted data to ensure it does not appear.
It is in the best interest of cyber criminals to keep their word because their “business model,” if you will, depends on reliably deleting data when ransoms are paid, or else in the future, victims will not pay the ransom. Nevertheless, if a ransom was paid to a threat actor, there is no way to confirm that the data has not or will not be released or used for an impermissible purpose.
PowerSchool has committed to providing credit monitoring services for adults whose data was impacted, as well as identity protection services for minors whose data was impacted. They have not shared the details about how this will work yet, but SCESD will pass along this and any other updates as we receive them.
Why does SCESD have historical records in PowerSchool? Shouldn’t they have been deleted once students promote or leave the District? And can I request that my student's record be deleted?
California law requires school districts to store “Mandatory Permanent Pupil Records” in perpetuity, meaning forever. Examples of Mandatory Permanent Pupil Records include, but are not limited to, a pupil's name, date of birth (DOB), marks or credits, and parent/guardian name and address (5 Cal. Code Regs. § 430(d)(1)). The District is permitted to electronically store via Student Information Systems (SIS) like PowerSchool..
Some parents/guardians of graduated students have requested that we delete their students’ records. Under California law, schools must maintain graduated students’ Mandatory Permanent Pupil Records in perpetuity (5 Cal. Code Regs. §§ 430(d)(1), 437(b)). The District does not have the discretion to delete Mandatory Permanent Pupil Records, even when requested to do so by parents/guardians.
What actions should families and staff take now?
There is no action that anyone needs to take at this time other than to be on the lookout for updates from the District. Whatever new information we learn will be published here on the PowerSchool Data Breach FAQ page. Current and former school community members should be on guard for potential phishing/social engineering attempts using this incident as a pretext. Please remain vigilant, as PowerSchool will never contact you by phone or email to request your personal or account information.
As of January 17, PowerSchool announced that all individuals impacted by the breach will qualify for identity protection and/or credit monitoring services from Experian. PowerSchool stated that Experian will provide these notifications "in the next few weeks" from this date. This a vague time range, but we would expect notices by mid-February at the latest. Please see the PowerSchool remediation tab above for more information.
PowerSchool Remediation
Identity Protection and Credit Monitoring Services
PowerSchool will offer two years of free identity protection services for all students and staff members whose information was exfiltrated , which will also include two years of complimentary credit monitoring services for all adult students and staff members whose information was involved, regardless of whether an individual’s Social Security number was exfiltrated.
Experian, the credit reporting agency, will help PowerSchool provide these services. Details on how to enroll will be included as part of individual notifications. As the offer is specific to this incident, the details contained in the forthcoming enrollment notification will be required to enroll, and cannot be obtained directly from Experian.
Credit monitoring agencies do not offer credit monitoring services for individuals under the age of 18. If a parent / guardian enrolls an individual under the age of 18 in the offered identity protection services, the individual, upon turning 18, will have the opportunity to enroll in credit monitoring services for the duration of the two-year coverage period.
Experian will also provide a call center to answer questions from the community.
Notification Date and Details
PowerSchool will be handling notifications to involved individuals on SCESD's behalf. PowerSchool will coordinate with Experian to provide notice on SCESD's behalf to students (or their parents / guardians if the student is under 18) and staff as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).
PowerSchool will publish the notice on its website, circulate the notice to local media, and send the notice to email addresses, where available, of involved individuals. The notice received by each individual will include a description of the categories of personal information that were exfiltrated and the identity protection and credit monitoring services offered (as applicable).
General Information about Identity Theft Protection
Please see PowerSchool's resources about additional steps one can take to protect one's identity.