PowerSchool Data Breach

History

On December 28th, 2024, PowerSchool was made aware of a breach in which an unknown amount of their data was compromised. This information included information on students, parents and teachers, to include:

• Contact information
• Social security numbers
• Medical information (allergies, illnesses, diagnosis, etc.)
• Grades
• And more

PowerSchool sat on the information for a couple of weeks, and in January of this year, they quietly published an announcement about it “pending further investigation”.

Actions Taken

We (JONROG technology) saw the article on January 13th (a couple of days after it was released) and contacted our local board of education's leadership about it. Our offer was to provide students and parents with free classes / information about what to do next. Things like:

• What to look out for
• What actions to take
• How to freeze your credit
• How to watch your child’s credit for unauthorized activity
• Etc.

The response was, and I quote:

“Thanks for reaching out.  We are represented by our liability insurer and they are researching any potential breach for our county.  Thanks again for offering your services.”

In other words, thanks, but no thanks.

Next Steps

First, go to the PowerSchool website and sign up for their free credit monitoring offer. It’s not much, and the standard offer when things like this happen, but it’s something. You have to do this by the end of July. It's unclear if this deadline is so short because of PowerShell, or because feet were drug elsewhere, but you don't have a lot of time.

Next, if you don’t already, monitor your credit! It’s even a good idea to put a freeze on it. This will prevent any unauthorized activity until you unfreeze it. (Don’t worry, you can freeze it again if you need to.) You'll need to do this will all three bureaus.

Next, do the same for your children. If they’re under 18, you’ll have a few more steps to go through in order to verify your parentage or guardianship, but do it now, before anyone else can.

Finally, change your passwords. If the password you've used for PowerSchool was the same as any other password, change it. It's not a bad idea to change all of them. It's a pain, but the attackers will sell this information, and someone will do it for you if you don't.

Final Thoughts

The timing on the letter's everyone is receiving is questionable at best. Now that school's out, they've started arriving, even though the board was aware of it back in January at the latest. It's possible that the delay is related to the ongoing change in leadership, but either way, they took their time about it. Also, it's important to realize that, just because you don't have a student enrolled anymore, doesn't mean your information wasn't involved in the breach. Historic records were almost certainly compromised as well.

Next, keep in mind, the information will likely be sat on for a little while before it's sold off. So, don't think you're safe just because nothing has happened yet. It's common for a delay in follow-on activity by the attackers in order to secure a sense of complacency from the victims. E.g. "If no one is reporting suspicious activity, then we're probably safe..."

Finally, if anyone has any questions, or would like some help, please don't hesitate to reach out. We typically only serve business clients, but we're happy to answer any questions we can. You can use our contact form or call us during the week at (731) 903-2015.

Links

PowerSchool Notice of Breach

How to Freeze Your Credit Report - Experian (Adults)

How to Freeze Your Credit Report - Equifax (Adults)

How to Freeze Your Credit Report - TransUnion (Adults)

How to Freeze Your Child's Credit Report - Experian

How to Freeze Your Child's Credit Report - Equifax

How to Freeze Your Child's Credit Report - TransUnion