PowerSchool Data Breach Resources
PowerSchool informed MPCSD of a data breach of its Student Information System (SIS) on Tuesday, January 7 that impacted all current and former students and staff who had records in that system. Since that date, MPCSD has been focused on learning as much about the breach and its implications for our current and former staff and students and notifying affected individuals. This page is dedicated to providing comprehensive and transparent communications to our community. While data breaches may be a part of life, they are concerning, and we hope that the information shared here provides clarity and reduces concerns. We will continue to update this page as we learn more.
In the tabs below, you will find our Frequently Asked Questions (FAQ). As we receive new information, or as we receive new questions that are not addressed on this page, we will add them. In addition to the FAQ, we have created a tab to provide detailed information about how PowerSchool plans to remediate the impacts of the breach and what services they will be providing.
MCPSD takes the protection of your personal information seriously, and we will continue to work closely with PowerSchool to ensure the safety of your data. Thank you for your patience and understanding as we navigate this issue.
Important Data Breach-Related Information
FAQ
Who/What is PowerSchool?
PowerSchool provides cloud-based software to K-12 schools, including PowerSchool Student Information System (SIS), which serves as a database for student records, among other uses. PowerSchool provides these products to more than 16,000 customers, largely K-12 schools, that serve 50 million students in the United States. PowerSchool, however, has not yet revealed the number of customers affected by the incident “due to the sensitive nature of [their] investigation.”
Schools use Student Information Systems (SIS) for many reasons, including to be able to quickly and easily contact families if the need arises, to be aware of each student's unique needs and give teachers and other staff insight into how to best meet those needs, to store grades, to monitor attendance, and so on. In addition, SIS like PowerSchool provide districts with the ability to meet annual state reporting mandates.
MPCSD has used PowerSchool as its Student Information System (SIS) since the 2009-2010 school year. While MPCSD does use other PowerSchool products, such as PowerSchool Enrollment and Schoology, the SIS is the only product that was impacted by the breach.
PowerSchool has some public-facing information for families and educators that you can review here. Please note that information is organized chronologically from most recent updates to earliest updates. It may be confusing to a user who accesses this information on February 4 and sees the title "Identity and Credit Monitoring Update for Canadian Customers" (information added Feb. 3), but scrolling down will provide information for United States customers (information added January 29).
What are the details of the cybersecurity incident?
On December 28, 2024, PowerSchool became aware of unauthorized access to information through its customer support portal, PowerSource. Their subsequent investigation revealed that an unauthorized party gained access to certain PowerSchool SIS customer data using a compromised credential. This credential, which was tied to a maintenance account, gave the threat actor(s) broad and deep access to many PowerSchool customers’ data. PowerSchool is currently working with CrowdStrike, a leading security consultant, to publish a forensic report that will provide additional information. This report is scheduled to be released Friday, January 17, 2025.
How did PowerSchool respond to the data breach?
PowerSchool immediately engaged its cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. They are working to complete their investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services, if applicable) as they become available.
On January 7, 2025, PowerSchool proactively communicated this incident to the PowerSchool SIS customers affected by this incident and continues to support them through the next steps.
PowerSchool has also deactivated the compromised credential and restricted all access to the affected portal. Lastly, they have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts. As part of their ongoing efforts to enhance resilience, they have further strengthened PowerSource password policies and controls, including increasing password length and complexity requirements. They continue to prioritize and invest significantly in their cybersecurity defenses.
Finally, PowerSchool would like to extend a sincere note of gratitude to its customer, educator, and family communities for their continued patience and cooperation. They apologize for any concern this incident may cause you and are working hard to provide timely updates.
Are MPCSD Practices Responsible for the Data Breach?
No. MPCSD is but one of potentially up to 16,000 customers that was victimized by the exploitation of a vulnerability in PowerSchool’s systems. Our PowerSchool SIS is cloud-hosted, and the responsibility of PowerSchool to maintain and secure.
When did MPCSD learn of the incident, and how did it respond?
PowerSchool notified MPCSD of the data breach on January 7, 2025. We immediately reviewed our PowerSchool logs and confirmed that our data was accessed by the compromised credentials that PowerSchool identified. We then drafted communication updating our Board of Trustees and current families and staff. After the initial round of communication, we analyzed our logs further and discovered that not only was the data of current students and staff accessed, but also the data of graduated students and former staff. Our communications timeline is as follows:
- January 8, 2025 - Update to Board of Trustees
- January 8, 2025 - Communication to current families and staff, posted on ParentSquare
- January 8, 2025 - Communication to staff via email
- January 13, 2025 - Communication to families of graduated students via SchoolMessenger
- January 14, 2025 - Publication of PowerSchool Data Breach FAQ
- January 14, 2025 - Communication to families of students whose SSN was compromised in the breach
- January 17, 2025 - Revision of FAQ Page - now titled "PowerSchool Data Brach Resources" - to include details about the services PowerSchool plans to provide to impacted individuals. The FAQ and Remediation details are now separated into different tabs.
- January 27, 2025 - Communication to former staff via email
MPCSD has also reported the incident to the San Mateo County School Insurance Group and its cyber liability insurance provider.
Who breached PowerSchool and accessed the data?
The threat actor who accessed the data has not been named. The IP address that was recorded points to someone in Ukraine; however, this is not definitive, and an IP address can easily be spoofed.
What data from MPCSD was accessed, and who does it impact?
Data from students and staff was accessed, including personally identifiable information (PII). All current students and staff, as well as students who enrolled in MPCSD from the start of the 2009-2010 school year and many staff who worked in MPCSD from the start of the 2009-2010 school year, were impacted. This includes students who may have been enrolled only for a short while before transferring out and staff who worked for MPCSD only briefly before leaving for whatever reason.
Student Data Details
150 unique fields were accessed for 10,662 students, but MPCSD does not use all of the fields. For our instance, the data in question included student name, date of birth (DOB), home address, home phone number, race and ethnicity, gender, the names of parents/guardians/emergency contacts, school ID number, state ID number, and more. Health-related information was also accessed, including the name and phone number of the student's physician and medical alerts (e.g., allergies, asthma, medications, or other disclosed health conditions that would help staff meet the medical needs of students). Data about special services students receive(d), namely IEP or Section 504 services, was also accessed. In some cases, this data was simply a flag (e.g., "IEP on File - Please see case manager"); in other cases, a specific disability, the name of the case manager, or specific accommodations were present in the flag.
Staff Data Details
97 unique fields were accessed for 3,270 staff members. Again, MPCSD does not use all of these fields. For our instance, the data in question included staff name, local staff ID number (Employee Identification Number), ethnicity, home phone number, street, and more.
Were Social Security Numbers (SSN) part of the data breach?
MPCSD does not currently collect or store social security numbers (SSN) in PowerSchool. However, in reviewing the accessed data, we did discover that for 386 student records, all of them from the 2017-18 school year or earlier, there does appear to be an SSN. If your child was one of these 386, we sent you a separate communication on January 14.
MPCSD Student Records Administrative Regulation (5125(a)), last updated November 10, 2015, states that "Personally identifiable information includes, but is not limited to... A personal identifier, such as the student's social security number, student number, or biometric record (e.g., fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics, and handwriting) which is further supported by California statute 34 CFR 99.3. However, the Board updated its Release of Directory Information Exhibit (E.5125.1) in January of 2017 to include the following statement: "(Note: Social Security numbers are not collected by the District..." Therefore, the collection and storage of SSNs in PowerSchool was sanctioned prior to January 2017, though it was not a wide-spread practice across the district. Our records indicate that only one SSN was recorded in PowerSchool after the change in this Exhibit.
Why does PowerSchool not anticipate the data will be shared or made public and that it has been deleted without any further replication or dissemination, and what additional steps will PowerSchool be taking to ensure this?
PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors. This implies that the party responsible for accessing the data demanded a ransom from PowerSchool and that, working through CyberSteward, PowerSchool paid the ransom and received reasonable assurances (i.e., video confirmation) that the data was deleted. PowerSchool will engage consultants to monitor the Dark Web for the impacted data to ensure it does not appear.
It is in the best interest of cyber criminals to keep their word because their “business model,” if you will, depends on reliably deleting data when ransoms are paid, or else in the future, victims will not pay the ransom. Nevertheless, if a ransom was paid to a threat actor, there is no way to confirm that the data has not or will not be released or used for an impermissible purpose.
PowerSchool has committed to providing credit monitoring services for adults whose data was impacted, as well as identity protection services for minors whose data was impacted. They have not shared the details about how this will work yet, but MPCSD will pass along this and any other updates as we receive them.
Why does MPCSD have historical records in PowerSchool? Shouldn’t they have been deleted once students graduated? And can I request that my student's record be deleted?
California law requires school districts to store “Mandatory Permanent Pupil Records” in perpetuity, meaning forever. Examples of Mandatory Permanent Pupil Records include, but are not limited to, a pupil's name, date of birth (DOB), marks or credits, and parent/guardian name and address (5 Cal. Code Regs. § 430(d)(1)). The district is permitted to electronically store via Student Information Systems (SIS) like PowerSchool..
Some parents/guardians of graduated students have requested that we delete their students’ records. Under California law, schools must maintain graduated students’ Mandatory Permanent Pupil Records in perpetuity (5 Cal. Code Regs. §§ 430(d)(1), 437(b)). The District does not have the discretion to delete Mandatory Permanent Pupil Records, even when requested to do so by parents/guardians.
What actions should families and staff take now?
There is no action that anyone needs to take at this time other than to be on the lookout for updates from the district. Whatever new information we learn will be published here on the PowerSchool Data Breach FAQ page. Current and former school community members should be on guard for potential phishing/social engineering attempts using this incident as a pretext. Please remain vigilant, as PowerSchool will never contact you by phone or email to request your personal or account information.
As of January 17, PowerSchool announced that all individuals impacted by the breach will qualify for identity protection and/or credit monitoring services from Experian. PowerSchool stated that Experian will provide these notifications "in the next few weeks" from this date. This a vague time range, but we would expect notices by mid-February at the latest.
As of January 29, PowerSchool sent out an update and stated that "we have initiated the process of notifying involved individuals about the resources now available to them." They have create a website with relevant information for impacted individuals entitled "Notice of Data Breach For Individuals in the United States" Please see the "PowerSchool Remediation" tab above for more details.
PowerSchool Remediation
Notification Date and Details
On Monday, January 27, PowerSchool announced that "in the coming days" they would begin providing formal legal notice of the cybersecurity incident to current and former students (or their parents / guardians as applicable) and educators whose information was determined to be involved. On January 29, they revised this information to state that they "have initiated the process of notifying involved individuals about the resources now available to them." The notice received by each individual will include a description of the categories of personal information that were exfiltrated.
PowerSchool also has created a "Notice of Data Breach For Individuals in the United States" website.
A direct email notification will be distributed by Experian on behalf of PowerSchool in the coming weeks to applicable current and former students (or their parents / guardians as applicable) and educators for whom they have sufficient contact information. The notice will include the identity protection and credit monitoring services offer (as applicable). Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool. However, please note that one need not receive a notification in order to take advantages of the services described below. Any impacted individual can use the activation codes provided below to access services or the engagement numbers provided below to contact the call center.
Identity Protection and Credit Monitoring Services
PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was exfiltrated , which will also include two years of complimentary credit monitoring services for all adult students and educators whose information was involved, regardless of whether an individual’s Social Security number was exfiltrated.
Experian, a trusted credit reporting agency, will be helping PowerSchool to provide these services. Details on how to enroll will be included as part of individual notifications, but they can also be obtained using the information below or from PowerSchool's website.
Credit monitoring agencies do not offer credit monitoring services for individuals under the age of 18. If a parent / guardian enrolls an individual under the age of 18 in the offered identity protection services, the individual, upon turning 18, will have the opportunity to enroll in credit monitoring services for the duration of the two-year coverage period.
There are two options for affected individuals depending on their age:
Option 1: If the Involved Individual is 18 or Over
- Enroll in these services no later than May 30, 2025, 5:59 UTC
- Visit the Experian IdentifyWorks Website to Enroll
- Provide the activation code, CTYU949PRK (note: this code is different than the code for individuals under 18)
- If you need assistance with enrollment or have questions, call Experian's customer care team at 833-918-9464, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays).
- Be prepared to provide the engagement number, B138812 (note: this code is different than the code for individuals under 18)
Please review PowerSchool's website to understand the Experian Identityworks Credit Plus Membership details.
Option 2: If the Involved Individual is Under 18
- Enroll in these services no later than May 30, 2025, 5:59 UTC
- Visit the Experian IdentifyWorks Website to Enroll
- Provide the activation code, CEBP456TRK (note: this code is different than the code for individuals 18 and over)
- If you need assistance with enrollment or have questions, call Experian's customer care team at 833-918-9464, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays).
- Be prepared to provide the engagement number, B138813 (note: this code is different than the code for individuals 18 and over)
Please review PowerSchool's website to understand the Experian Identityworks Minor Plus Membership details.
General Information about Identity Theft Protection
Please see PowerSchool's resources about additional steps one can take to protect one's identity.
These identity protection resources are also available on PowerSchool's website, below the credit monitoring and identity protection details.