PowerSchool Data Breach Notification
The following was sent to Staff, Students, and Families on January 16, 2025
PowerSchool notified Unit 9 that it is among PowerSchool’s many worldwide clients whose data was accessed during a cybersecurity incident.
While PowerSchool is responsible for this incident and its impact, Unit 9 is committed to protecting our student, staff, and family data and is committed to communicating with transparency about this incident. We are providing the information we currently have and as more specific information becomes available we will share it.
What happened?
According to PowerSchool, someone used a compromised PowerSchool credential to access data stored in the global Student Information System (SIS). When PowerSchool became aware of the incident on December 28, 2024, they notified law enforcement, locked down the system, and engaged the services of CrowdStrike (a cybersecurity company that develops software to help companies detect and prevent cyberattacks) and Cyber Steward (a professional advisor with experience in negotiating with threat actors). PowerSchool has told school districts that a complete forensic report will be made available. PowerSchool notified clients on January 7 and held a debrief on January 8 to share details.
What data could have been accessed?
Initial information from PowerSchool indicates that some information about staff and students was accessed. Our Head of Technology has reached out to our PowerSchool representative for more information.
Information accessed includes contact information, including names, addresses, and phone numbers as well as some health information for students. Unit 9 does not retain student or staff social security numbers in PowerSchool and to our knowledge, no financial information was included in the data breach.
PowerSchool states that they have received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination. We have a video confirming deletion and are actively searching the dark web to confirm.”
What happens next?
PowerSchool has stated that the incident is contained, and they have no evidence of malware or continued unauthorized activity in the PowerSchool environment. They are not experiencing, nor expect to experience, any operational disruption and they continue to provide services as normal to school districts.
Although PowerSchool has assured us that the risk of data dissemination or misuse is low, we remain vigilant and are leveraging all available resources to thoroughly assess the situation and strengthen the protection of our systems.
Communication and Transparency
The Unit 9 Director of Technology will continue to work with our PowerSchool representative and we will share relevant information as it becomes available to us.
Additionally, in accordance with the Student Online Personal Protection Act (SOPPA), the school district has prepared additional contact information accessible here.
Dr. David Andriano
Superintendent