To start, district IT teams should disable remote maintenance in the PowerSchool console, review their logs to see what data was exposed, and begin the process of notifying those affected, along with cybersecurity insurers and state authorities, according to Doug Levin, co-founder and national director of the K12 Security Information eXchange. The nonprofit focuses on the unique cybersecurity needs of K-12 schools, functioning as an “enhanced information sharing and analysis center” for the sector, per its website.
“I think it’s important for school systems to understand their notification obligations under state law,” Levin said. “Now that they’ve been informed of an incident, they may be on a clock to make notification to a state authority about what has happened.”
PowerSchool made its notification to affected school districts via email on Tuesday, roughly 10 days after the company became aware Dec. 28 that hackers had used a “compromised credential” to export sensitive student and teacher data from PowerSchool SIS. The system serves more than 45 million students in 15,000 schools and districts, according to the company’s website.
“It’s possible that in some school systems passwords were compromised, and so they may need to determine whether they need to do a password reset,” Levin said. “That should not be the typical case, but it may be the case in some places.”
In the PowerSchool notification to school districts, the company states that it will provide credit monitoring services to all affected parties. The email also says that PowerSchool has informed law enforcement of the incident and is working with third-party cybersecurity experts.
“Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse,” the email reads. “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.”
Linnette Attai, a student data privacy expert and project director of the Consortium for School Networking’s Trusted Learning Environment Program, said that this does not mean that someone doesn’t have that data, and that those who were exposed will not be affected.
“There’s a financial, there’s an emotional, and there’s a time cost to this for those individuals impacted,” Attai said, “and so for districts, that’s going to be a lot of work that they need to do.”
PowerSchool has not released further details about the data breach. The company had not responded by press time to a request for comment. The company has held a webinar and posted an FAQ page accessible only to customers.
BleepingComputer, a news site that broke news of the breach late Tuesday night, reported it obtained access to the FAQs — which it said indicated PowerSchool has paid the hackers to delete the stolen data. According to BleepingComputer, PowerSchool confirmed it received a video showing the data was deleted, and that the company will monitor the dark web for any leaks.
PowerSchool has not yet made public how many school districts were affected by the breach, but news stories nationwide show districts are informing their communities. As of Friday afternoon, a running list at the bottom of the BleepingComputer article showed 54 school districts in the United States and 14 in Canada had reported being affected by the breach.
