Data Breach Impacts Local School Districts
By Gordon Hopkins
PowerSchool, a software vendor that provides the Student Information System (SIS) for schools throughout Nebraska and the country, including several local schools, suffered a cybersecurity breach late last month. Fairbury Public Schools, Diller Odell Schools, Meridian Public Schools, Thayer Central, Southern District Schools and Wilber-Clatonia all use PowerSchool.
According to PowerSchool, the taken data primarily includes parent and student contact information and some educator information, although PowerSchool acknowledges some Personally Identifiable Information (PII) may also have been exposed. PowerSchool is working to complete their investigation and determine whether PII belonging to students was included.
More than half of the school districts across Nebraska use PowerSchool as their SIS.
How Did the Breach Occur?
According PowerSchool, the breach was the result of someone using a “compromised credential.” PowerSchool issued an alert to impacted schools, “PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.”
What Kind of Data Was Compromised?
PowerSchool has informed impacted schools that the taken data primarily includes parent and student contact information, along with data elements such as name and address information. Across PowerSchool’s customer base, they have determined that, for some individuals, some PII, such as social security numbers (SSN) and medical information was impacted.
Fairbury Public Schools Superintendent Dr. Devin Embray issued a statement to parents on Friday, January 10, 2025, in which he confirmed some of the data may include social security numbers, “Protecting our students is something we take seriously. FPS stopped requiring SSN years ago, unfortunately, archived data may still have SSN numbers stored in PowerSchool. With PowerSchool’s help, more information and resources (including credit monitoring or identity protection services if applicable) will be provided to you as it becomes available. We understand this news may be concerning. We are committed to protecting the privacy and security of our students and staff, and we will continue to provide updates as the situation evolves.”
Response from PowerSchool
A statement from PowerSchool indicates the breach was discovered December 28, 2024, “As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.”
Local schools report being informed on January 7, 2025.
PowerSchool states there is no evidence of malware or continued unauthorized activity, “We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”
Response from Local Schools
FJN reached out to local schools.
Randy Kort, Superintendent of Meridian Public Schools, told FJN he was aware of the issue and working with PowerSchool.
Southern District Schools in Wymore issued a statement on Friday, “On Tuesday, January 7, 2025, PowerSchool informed our leadership team that they experienced a cybersecurity incident involving unauthorized access to certain PowerSchool SIS customer data. Unfortunately, they have confirmed that the information belongs to some of Southern School District’s families and educators.”
Superintendent Dr. Chris Prososki wrote, “Just a little over two years ago, Southern updated our enrollment forms, and one of the items that we took off of the enrollment forms was requesting for Social Security numbers. In addition, we went ahead and took out all of the Social Security numbers for both students and staff members in PowerSchool. We knew it wasn’t a matter of if our SIS would be hacked, but a matter of when our SIS would be hacked. You can rest assured that your child’s Social Security number was not compromised.”
FPS Superintendent Embray was informed by PowerSchools data compromised included information about FPS families and educators. In his statement to parents, he wrote, “PowerSchool in collaboration with CloudStrike, has taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. They do not anticipate the data being shared or made public, and they believe it has been deleted without any further replication or dissemination.”
Also impacted was Diller-Odell Schools. Superintendent Mike Meyerle advised FJN, “We do use Powerschool. We are waiting on more info from Powerschool on the matter. Will release a statement once we have some more info.”
Tri County Superintendent Randy Schlueter wrote in a recent statement, “PowerSchool has told us the situation has been contained and they have taken actions to prevent the information from being used. PowerSchool has reassured Tri County that information has not shared outside of the breach.”
