PowerSchool data breach FAQ for South Haven Staff and Families:
What happened?
At some point a malicious actor or organization gained access to the login information for a PowerSchool contracted support employee. This employee login apparently had access to the student and staff database files for many, if not all, school districts using PowerSchool. Between Dec 19-23, 2024, the malicious actor used the support login to download student and staff information from as many schools as possible.
How did PowerSchool respond?
PowerSchool became aware of the breach on Dec 28, 2024 and began working with cybersecurity organization CrowdStrike to conduct an investigation and limit further intrusion. They also worked with a company called CyberSteward to negotiate with the malicious actor, and paid an undisclosed amount in exchange for assurance that the actor would destroy the stolen data. PowerSchool claims they received video evidence of the data’s destruction; in most cases, malicious organizations follow through with these assurances as they don’t want to deter future victims from paying them, however there is no way to know for sure. PowerSchool will continue to use CrowdStrike to monitor the dark web and other data repositories for this data.
When did we know about the breach?
PowerSchool sent initial notification that a breach had occurred on the afternoon of January 7. On January 8 we were able to confirm that South Haven’s PowerSchool instance had been accessed, and data had been downloaded. At that time we began communicating with PowerSchool, and we sent our initial communication to parents and staff that evening.
Will PowerSchool provide identity monitoring services to affected families?
PowerSchool says they will provide identity monitoring services to families on a case-by-case basis depending on the type of information that was downloaded from each school. They are currently examining detailed logs, and will provide a comprehensive report to each school in the coming weeks.
What could South Haven have done to prevent the breach?
There is nothing South Haven could have done to prevent this breach. PowerSchool’s support technicians had access to school data regardless of any security measures the schools put in place, and the malicious actor had access to a support technician login.
What is PowerSchool doing to prevent further breaches?
PowerSchool says they have put their support portal behind a VPN (Virtual Private Network) which requires two-factor authentication and other security mechanisms so that if a support login is compromised in the future, the malicious actor won’t be able to access the support portal. Additionally, PowerSchool has removed unlimited access to school data from the support portal. Instead, PowerSchool support will require each district to grant them limited access each time support is needed.
Will South Haven make any changes?
Currently we are in the process of removing all student SSNs from the PowerSchool database, and will no longer collect SSN at enrollment. Staff SSNs are not stored in PowerSchool.
How does South Haven protect the data stored in PowerSchool?
Beginning in 2022 South Haven began requiring two-factor authentication for all teacher and administrator Google accounts. Staff must use their Google account to log in to PowerSchool, meaning two-factor authentication is also in place for PowerSchool. Even if a staff username and password were stolen, a malicious actor could not log in to PowerSchool without access to the staff member’s phone or authenticator application.