What is PowerSchool?
PowerSchool provides cloud-based software to K-12 schools, including PowerSchool Student Information System (SIS), which serves as a database for student records, among other uses. PowerSchool provides these products to more than 16,000 customers, largely K-12 schools, that serve 50 million students in the United States. PowerSchool, however, has not yet revealed the number of customers affected by the incident “due to the sensitive nature of [their] investigation.”
Schools use Student Information Systems (SIS) for many reasons, including to be able to quickly and easily contact families if the need arises, to be aware of each student's unique needs and give teachers and other staff insight into how to best meet those needs, to store grades, to monitor attendance, and so on. In addition, SIS like PowerSchool provide districts with the ability to meet annual state reporting mandates.
SCESD transitioned to another SIS provider in 2021. Legacy data from District students and staff is maintained on PowerSchool servers.
What are the details of the incident?
In late December, PowerSchool became aware of unauthorized access to information through its customer support portal, PowerSource. Their subsequent investigation revealed that an unauthorized party gained access to certain PowerSchool SIS customer data using a compromised credential. This credential, which was tied to a maintenance account, gave the hackers deep access to many PowerSchool customers’ data.
How did PowerSchool respond to the data breach?
PowerSchool immediately engaged its cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. They are working to complete their investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services, if applicable) as they become available.
On January 7, 2025, PowerSchool communicated this incident to the PowerSchool SIS customers affected by this incident.
Are SCESD practices responsible for the data breach?
No. SCESD is one of potentially up to 16,000 customers victimized by the exploitation of a vulnerability in PowerSchool’s systems. PowerSchool SIS is cloud-hosted, and the responsibility of PowerSchool to maintain and secure.
When did SCESD learn of the incident, and how did it respond?
PowerSchool notified the District of the data breach on January 7, 2025. We then reviewed our PowerSchool logs and confirmed that our data was accessed by the compromised credentials that PowerSchool identified. Between then and now, the District's IT team has been gathering further information from PowerSchool, and awaiting direction on how they intend to assist customers.
Who breached PowerSchool and accessed the data?
The threat actor who accessed the data has not been named. The IP address that was recorded points to someone in Ukraine; however, this is not definitive, and an IP address can easily be fabricated.
What student data from SCESD was accessed, and who does it impact?
Students enrolled from 2006-2021 had their data accessed. The data accessed included personally identifiable information (PII), which included the following: student demographics, parent and emergency contact information, home phone and address, medical alerts, and enrollment information. Additionally, 319 previously enrolled students who were born between Dec. 5, 2002 and Jan. 29, 2004, had their social security numbers accessed.
What employee data from SCESD was accessed, and who does it impact?
Employees of the SCESD employed before July 1, 2021, had their data accessed. The data accessed included personally identifiable information (PII), which included the following: employee first name, employee last name, work email address, and ethnicity. Additionally, the home phone number and home address were accessed for a small number of employees (less than 20, most are whom are no longer employed by the District).
Why does PowerSchool not anticipate the data will be shared or made public and that it has been deleted without any further replication or dissemination, and what additional steps will PowerSchool be taking to ensure this?
PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors. This implies that the party responsible for accessing the data demanded a ransom from PowerSchool and that, working through CyberSteward, PowerSchool paid the ransom and received reasonable assurances (i.e., video confirmation) that the data was deleted. PowerSchool will engage consultants to monitor the Dark Web for the impacted data to ensure it does not appear.
It is in the best interest of cyber criminals to keep their word because their “business model,” if you will, depends on reliably deleting data when ransoms are paid, or else in the future, victims will not pay the ransom. Nevertheless, if a ransom was paid to a threat actor, there is no way to confirm that the data has not or will not be released or used for an impermissible purpose.
PowerSchool has committed to providing credit monitoring services for adults whose data was impacted, as well as identity protection services for minors whose data was impacted. They have not shared the details about how this will work yet, but SCESD will pass along this and any other updates as we receive them.
Why does SCESD have historical records in PowerSchool? Shouldn’t they have been deleted once students promote or leave the District? And can I request that my student's record be deleted?
California law requires school districts to store “Mandatory Permanent Pupil Records” in perpetuity, meaning forever. Examples of Mandatory Permanent Pupil Records include, but are not limited to, a pupil's name, date of birth (DOB), marks or credits, and parent/guardian name and address (5 Cal. Code Regs. § 430(d)(1)). The District is permitted to electronically store via Student Information Systems (SIS) like PowerSchool..
Some parents/guardians of graduated students have requested that we delete their students’ records. Under California law, schools must maintain graduated students’ Mandatory Permanent Pupil Records in perpetuity (5 Cal. Code Regs. §§ 430(d)(1), 437(b)). The District does not have the discretion to delete Mandatory Permanent Pupil Records, even when requested to do so by parents/guardians.
What actions should families and staff take now?
There is no action that anyone needs to take at this time other than to be on the lookout for updates from the District. Whatever new information we learn will be published here on the PowerSchool Data Breach FAQ page. Current and former school community members should be on guard for potential phishing/social engineering attempts using this incident as a pretext. Please remain vigilant, as PowerSchool will never contact you by phone or email to request your personal or account information.
As of January 17, PowerSchool announced that all individuals impacted by the breach will qualify for identity protection and/or credit monitoring services from Experian. PowerSchool stated that Experian will provide these notifications "in the next few weeks" from this date. This a vague time range, but we would expect notices by mid-February at the latest. Please see the PowerSchool remediation tab above for more information.
