Language  

Prospect Heights School District 23 News Article

Global PowerSchool Data Breach

The below message concerning the global PowerSchool data breach was sent to families on Thursday, January 9th.

Please read the letter below that provides notice of a global data breach of PowerSchool impacting cloud hosted clients (including us). You will likely see more about this in the news and from other Districts over the next few days because of the significant scope of this incident.
 
Through their investigation, PowerSchool is confident that the breached data has been deleted and will not reappear; however, we have a responsibility to report this to our families, students, and staff. This also highlights the importance of our cyber security measures and the unfortunate prevalence of such incidents.
 

January 9, 2025

 

On Jan. 7, 2025, PowerSchool, Prospect Height School District 23’s Student Information System, notified us and many other districts across the country that they recently experienced a global security breach on December 22, 2024, that compromised the data of a significant number of school districts. PowerSchool first became aware of the breach on December 28, 2024, and immediately notified law enforcement, secured their systems, and enlisted the assistance of cybersecurity experts from CrowdStrike and Cyber Steward to investigate the incident and secure the data. PowerSchool reports that they have taken all appropriate steps to contain the incident and to prevent the data from further unauthorized access or misuse.

 

Types of Data Compromised:

Prospect Heights School District 23 has confirmed that the following data-controlled by the District has been compromised:

Student and family contact information
Limited medical alert information (e.g., allergies, life-threatening conditions)
Doctor name and phone number
Date of birth
Dates of enrollment 
Free and Reduced Lunch status
Staff school email addresses, personal contact information, and ID numbers
 

Importantly, PowerSchool has assured Prospect Heights School District 23 that the following types of data have NOT been compromised by the breach:

Social Security Numbers 
Financial information
Student and staff pictures


District Response:

Although this breach occurred within PowerSchool-operated systems, Prospect Heights School District 23 has taken several steps to ensure the security and integrity of its systems and to ensure that the data is protected. In response to the breach, Prospect Heights School District 23 has and is taken the following steps:

Working closely with PowerSchool and attending their ongoing webinars to stay informed.
Monitoring our internal systems, which include robust network security measures.
Maintaining two-factor authentication for all employee accounts as an additional security layer. 

PowerSchool’s Response:

Conducting a comprehensive investigation with third-party cybersecurity firm CrowdStrike. Their final forensic report is expected to be released at the end of next week and will provide a clearer understanding of the incident and its potential impact.
Monitoring the dark web to ensure the data obtained during the breach is not disseminated.
Strengthening their internal protocols and working with federal authorities, including the FBI.
Continuing communications regarding the breach, including offering credit monitoring and support, which will be forthcoming.

 

What Can You Do:

While PowerSchool has assured us the risk of misuse is low, we encourage you to take these precautions:

Review any recent communication from PowerSchool.
Be cautious of any unsolicited emails or phone calls.
Consider changing your PowerSchool password, especially if you reuse passwords across platforms.
Monitor email accounts for any unusual activity.
 

SOPPA (Student Online Personal Protection Act): 

The Student Online Personal Protection Act (SOPPA) is a law in Illinois designed to ensure that student data collected by education technology companies is protected. Here are the requirements of the law:

Notification of the breach: A school must notify the parent of any student whose covered information was involved in the breach no later than 30 calendar days after the school receives notice of a breach from an operator or determines a breach has occurred. This notification must include the date or estimated date of the breach, a description of the compromised information, contact information for the operator and school, contact information for consumer reporting agencies and the Federal Trade Commission, and a statement that the parent may obtain information about fraud alerts and security freezes from the FTC and consumer reporting agencies. Notification may be delayed if a law enforcement agency determines it would interfere with a criminal investigation. HERE is more helpful information.
Public disclosure of breaches: Schools must also maintain a list of breaches on their website or make it available at their administrative office. The list must include the number of students affected (unless this would violate the Personal Information Protection Act), the date or estimated date of the breach, and the name of the operator if the breach occurred under Section 15. A school may omit from this list any breach involving fewer than 10% of the student body, breaches for which parents are not required to be notified, breaches occurring prior to July 1, 2021, or any breach previously posted on this list more than 5 years prior to the update.
Updating Breach Lists: The school must update the list of breaches at least twice per year, no later than 30 calendar days following the start of a fiscal year and no later than 30 days following the beginning of a calendar year.


Next Steps:

At this time, Prospect Height School District 23 is working in collaboration with PowerSchool to monitor the situation and complete a thorough investigation of the incident. PowerSchool reports that a full incident report should be completed by January 17, 2025. Although PowerSchool does not anticipate misuse of personal information, they are offering credit monitoring services to affected adults and identity protection for impacted minors, as required by regulations.

 

Once the investigation is complete, the parents of each student whose information was compromised by the breach will receive individual notice including additional information about the incident and available resources. Prospect Heights School District 23 will continue communicating transparently about this situation as more information is learned. In the meantime, please be on the lookout for additional updates regarding the ongoing investigation.

 

BACK
Print This Article