PowerSchool Data Breach

PowerSchool Cybersecurity Incident Information

Message from PowerSchool:

We now have a public statement and community facing FAQ available on our website.
They have posted a Summary update of the data breach provided by PowerSchool.

Communication from PowerSchool:

Dear Valued Customer,

As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource.Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”)customer data using a compromised credential, and we regret to inform you that your data was accessed.

Please review the following information and be sure to share this with relevantsecurity individuals at your organization.

As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.

We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. Theunauthorized access point was isolated to our PowerSource portal. As the Power Source portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.

Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.

Rest assured, we have taken all appropriate steps to prevent the data involvedfrom further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.

We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.

PowerSchool is committed to working diligently with customers to communicate with your educators, families, and other stakeholders. We are equipped to conduct a thorough notification process to all impacted individuals. Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process.

We have taken all appropriate steps to further prevent the exposure ofinformation affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.

In the coming days, we will provide you with a communications package to support you in engaging with families, teachers and other stakeholders about this incident. The communications package will include tailored outreach emails, talking points, and a robust FAQ so that district and school leadership can confidently discuss this incident with your community.

We understand that you may have additional questions as a result of this update.FAQs are available on PowerSchool Community. Additionally, we will be holding webinars with senior leaders, including our Chief Information Security Officer, to address additional concerns. Please click the link below to register for a webinar that fits your schedule. Note that content for all sessions will be identical, so you need only attend one.

Wednesday, January 8: REGISTER HERE

Thursday, January 9: REGISTER HERE

In the meantime, please reach out to your Customer Success Manager (CSM), Support, or other established PowerSchool contact should you have any questions. We will be sending communications later today to other stakeholders in your organization who are responsible for other PowerSchool products notifying them of no impact to the other PowerSchool products.

We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together.

Thank you for your continued support and partnership.

Sincerely,
Hardeep Gulati
Chief Executive Officer

Paul Brook
Chief Customer Officer

cc: Mishka McCowan
Chief Information Security Officer

Dear PowerSchool SIS Customer,
Thank you for your continued patience and partnership as we address the recent cybersecurity incident. Over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community.

As a PowerSchool SIS customer whose information was involved, I am writing to provide you with updates on several important next steps:

Identity Protection and Credit Monitoring Services: PowerSchool has engaged Experian a trusted credit reporting agency, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.

• Identity Protection: PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved.

• Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved.

Notifications: Starting in the next few weeks, PowerSchool will be handling notifications to involved individuals and relevant state attorney general offices on your behalf. We hope to relieve the burden of these notifications on you and your institution. You may opt out if you would prefer to notify directly.

• Community: PowerSchool will coordinate with Experian to provide notice on your behalf to students (or their parents / guardians if the student is under 18) and educators, as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).

• Regulatory: PowerSchool will provide notification on your behalf to relevant state attorney general offices. You may also have notification requirements with your state’s Department of Education where required. Since many customers have already notified and are in close contact with their state’s Department of Education, PowerSchool will defer to you on these notifications.

In this link, you will find a fact sheet with additional details on these steps and the incident, a template that we intend to use to notify individuals whose information was involved, and a proposed communication that you may choose to share with families and educators to keep them informed on these steps. We are providing this communication package to technical contacts listed by your organization with PowerSchool. Please forward as appropriate to relevant leaders in your organization.

I sincerely value the trust you have placed in PowerSchool. We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving you and our shared community.
We appreciate all that you are doing to support families and educators through this process.

Sincerely,
Hardeep Gulati
Chief Executive Officer, PowerSchool

Dear Valued Customers,

I am writing today to inform you that our investigation and data review into the scope of the cybersecurity incident has continued in earnest. As part of our commitment to keeping you informed, we are reaching out with an update on the latest steps we have taken in response to this incident and what you can expect over the coming days.

Importantly, this message requires no action on your part and serves simply as an update.

This afternoon, PowerSchool began the process of filing state attorneys general notifications across applicable U.S. jurisdictions on behalf of customers who did not opt-out of our offer to do so. PowerSchool has also started the process of notifying Canadian regulators.

For our U.S. customers, you may also have notification requirements with your state’s Department of Education. Since many customers have already notified and are in close contact with their state’s Department of Education, PowerSchool will defer to you on making these notifications.

In the coming days, PowerSchool will begin providing formal legal notice of the cybersecurity incident to current and former students (or their parents / guardians as applicable) and educators whose information was determined to be involved.

A direct email notification will be distributed by Experian on behalf of PowerSchool in the coming weeks to applicable current and former students (or their parents / guardians as applicable) and educators for whom we have sufficient contact information. PowerSchool will also launch a website and distribute a media release to ensure we reach as many involved individuals as possible and provide them with resources to protect their information. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool.

PowerSchool will also be providing you with communications materials to help navigate conversations with families and educators as part of our effort to support you with the expected inquiries from your community members.

Thank you for your ongoing patience and partnership.

Hardeep Gulati
Chief Executive Officer, PowerSchool