SIS Incident - NFHN Reader

January 29, 2025: Identity and Credit Monitoring Update for United States Customers

Identity and Credit Monitoring Update for United States Customers

Since our last update, we have initiated the process of notifying involved individuals in the U.S. about the resources now available to them. As part of this process, we have posted a notice to our website and published a press release. Credit monitoring and identity protection services are now activated and available.

In the coming weeks, Experian (on behalf of PowerSchool) will also be distributing direct email notifications to involved individuals for whom we have sufficient contact information. This does not apply to customers who have opted out of this process. The email notice will include further information about the information of theirs involved and the resources PowerSchool is offering. Additionally, we have coordinated with Experian to set up a toll-free call center for families and educators in case they have questions about these offerings: 833-918-9464

For individuals located in Canada, we will be reaching out next week with further information on the resources made available to you.

To our customers and the families and educators that we serve, please know that we sincerely appreciate your continued patience throughout this process. We remain committed to supporting you.

General FAQ

What is the timeline for providing notification information to schools, educators and families?

PowerSchool initiated notifying our customers on January 7, as well as individuals on January 29 by posting a notice to our website, and publishing a press release. In the coming weeks, direct email notifications will go out to involved students and educators for whom we have sufficient contact information.

FAQ for Families

Why is Experian notifying me instead of PowerSchool?

PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services on behalf of PowerSchool and our customers who opted in to these services. Additionally, PowerSchool worked with Experian to set up a dedicated, toll-free call center to answer any questions regarding the incident that involved individuals may have.

How do I sign up for credit monitoring?

For details on how to sign up for the resources being offered and how to reach the dedicated call center, you will be receiving an e-mail notification directly from PowerSchool in the coming days, or you can visit their website to learn how to activate the offerings from Experian, linked here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

What if I don’t get an email?

Involved individuals may receive an email communication in the coming weeks. If you do not receive an email, you can find more information linked here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/ This notification provides details about the support resources we are offering, including complimentary credit monitoring and identity protection services if you do not receive a direct email.

What information of mine was involved?

For involved students and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number (SSN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base. Please note regardless of whether an individual’s Social Security Number was exfiltrated, we are offering two years of complimentary identity protection services for all current and former students, parents / guardians of students, and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services for all adult students, and educators whose information was determined to be involved.

FAQ for Educators

Why is Experian notifying me instead of PowerSchool?

How do I sign up for credit monitoring?

What if I don’t get an email?

Involved individuals may receive an email communication in the coming weeks. If you do not receive an email, you can find more information linked here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. This notification provides details about the support resources we are offering, including complimentary credit monitoring and identity protection services if you do not receive a direct email.

FAQ for Customers

How will students and educators be notified if their information was involved?

We have initiated the process of notifying involved individuals. In the coming weeks following Jan. 29, direct email notifications will go out, and in the meantime, we have distributed a media release and posted a notice to our website.

January 17, 2025: Updated Information for U.S. Families, Educators and Customers

Updated Information for U.S. Families, Educators and Customers

What Happened

On December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of personal information from certain PowerSchool Student Information System (SIS) environments through one of our community-focused customer support portals, PowerSource. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers. We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

Identity Protection & Credit Monitoring Services

PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.
PowerSchool has engaged Experian, a trusted credit reporting agency, to provide these services. Starting in the next few weeks, PowerSchool will coordinate with Experian to provide notice on behalf of our customers to students (or their parents/guardians if the student is under 18) and educators whose information was exfiltrated from their PowerSchool SIS.

Student and Educator Data Involved

Who Was Affected

On January 7, 2025, we proactively communicated this incident to the PowerSchool SIS customers affected by this incident. On January 17, 2025, PowerSchool shared next steps with those same SIS customers. Districts and schools that do not utilize PowerSchool SIS were not affected.

Steps We Are Taking in Response & Moving Forward

As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. Since then, over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community. We take our responsibility to protect student, family, and educator data privacy extremely seriously, and we are committed to providing customers, families, and educators with resources and support as we work through this together.

General FAQ

What happened?

On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers. We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

When will PowerSchool provide next steps to schools, educators and families?

We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as they become available.

What steps are you taking to prevent this from happening again?

PowerSchool is committed to protecting the security and integrity of our applications and regularly reviews and enhances it security policies and practices. We continue to prioritize and invest significantly in our cybersecurity defenses.

What is the timeline for providing notification information to schools, educators and families?

As PowerSchool is working to complete our investigation, we are also taking steps to set up a system – in coordination with our customers – to be able to provide supportive resources (including credit monitoring or identity protection services if applicable) for individuals whose data may have been involved. As we have more definitive information on our timeline, we will share that accordingly.

FAQ for Families

Who is PowerSchool?

PowerSchool provides cloud-based software to K-12 schools. This security incident affected some of the districts using the PowerSchool Student Information System product. We have no evidence that any other PowerSchool products were affected as a result of this incident.

Am I required to reach out to my school or take any steps as a parent or guardian at this time?

No. If you are a parent or guardian of a student under the age of 18 and your student’s information was exfiltrated from their district’s PowerSchool SIS, you may receive a notification email from PowerSchool. Additionally, we have posted on our website and distributed a media release informing individuals of the incident and resources we have offered.

Was any student or family data involved in this incident?

For involved current and former students, parents / guardians of students, and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number (SSN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base. The majority of individuals did not have their medical alert information or Social Security Number involved.

Was credit card or banking information involved in this incident?

We have no evidence that credit card or banking information was involved.

Will I get identity protection or credit monitoring?

PowerSchool is offering complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.

Identity Protection: PowerSchool will be offering two years of complimentary identity protection services, which will be provided by Experian, for all students and educators whose information was involved.
Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services, which will be provided by TransUnion, for all students and educators who have reached the age of majority whose information was involved.

Credit monitoring agencies do not offer credit monitoring services for individuals under the age of majority. If a parent / guardian enrolls an individual under the age of majority in the offered identity protection services, the individual, upon reaching the age of majority, will have the opportunity to enroll in credit monitoring services for the duration of the two-year coverage period.

Would PowerSchool reach out to me directly to request my personal information?

PowerSchool is committed to keeping our community informed and will be providing further resources as they become available. However, please remain vigilant as PowerSchool will never contact you by phone or email to request your personal or account information.

Why is Experian notifying me instead of PowerSchool?

How do I sign up for credit monitoring?

For details on how to sign up for the resources being offered and how to reach the dedicated call center, you will be receiving an e-mail notification directly from PowerSchool in the coming days, or you can visit their website to learn how to activate the offerings from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

What if I don’t get an email?

Involved individuals may receive an email communication in the coming weeks. If you do not receive an email, you can find more information linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. This notification provides details about the support resources we are offering, including complimentary credit monitoring and identity protection services if you do not receive a direct email.

What information of mine was involved?

Please note regardless of whether an individual’s Social Security Number was exfiltrated, we are offering two years of complimentary identity protection services for all current and former students, parents / guardians of students, and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services for all adult students, and educators whose information was determined to be involved.

FAQ for Educators

Was any educator data involved in this incident?

For involved students and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Insurance Number (SIN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base. The notice received by each individual will include a description of the categories of personal information that were exfiltrated and the identity protection and credit monitoring services offered (as applicable).

Was credit card or banking information involved in this incident?

We have no evidence that credit card or banking information was involved.

Is PowerSchool offering identity protection and credit monitoring services?

How many districts and schools were involved?

We are not sharing specifics around the number of districts and schools we believe were involved. We are in communication with those customers directly and are supporting them through next steps.

Why is Experian notifying me instead of PowerSchool?

How do I sign up for credit monitoring?

For details on how to sign up for the resources being offered and how to reach the dedicated call center, you will be receiving an e-mail notification directly from PowerSchool in the coming days, or you can visit their website to learn how to activate the offerings from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.

What if I don’t get an email?

FAQ for Customers

Was data from my school district involved?

We have proactively contacted the SIS customers that we believe were affected. If you are not a SIS customer, you were not affected.

Should we take any action to secure our own systems?

We do not believe there is an ongoing risk to our systems. We have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.

Were other PowerSchool products affected?

Other than PowerSchool SIS, we have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.