Districts dealing with aftermath of PowerSchool data breach
A recent cyber-attack on PowerSchool that resulted in a data breach has school districts across the nation assessing the potential risks to staff members, students and parents and how to head them off in the future.
A third-party vendor, PowerSchool promotes itself online as “a leading provider of cloud-based software” that supports more than 60 million students and over 18,000 customers in more than 90 countries.
Three of the four school districts in Big Horn County use PowerSchool to manage student information, improve administrative efficiency and support student learning.
The only one that doesn’t is Big Horn County School District No. 4 in Basin, which uses Infinite Campus.
A report prepared by K12 Six, a national nonprofit dedicated to protecting schools from emerging cybersecurity threats, suggests that PowerSchool became aware of a potential cyber-attack when the “threat actor” made extortion demands on Dec. 28, 2024.
The cyber-attack itself occurred Dec. 22, 2024, according to the report, and the “threat actor” who carried out the cyber-attack exported only teacher and student tables, potentially exposing names and address of students and educators as well as Social Security numbers, medical data and grades.
PowerSchool further reported that it was working with CyberSteward, which was assisting with threat actor negotiations, and CrowdStrike, with forensics, and that no malware or ransomware was deployed as part of the attack.
In Greybull, Supt. Mark Fritz said about a quarter of Greybull’s students had Social Security numbers that appeared in the PowerSchool system.
“Not all of our kids have a Social Security number in our system because we don’t need it,” he said. “A lot of times, seniors will put it in there — or we will put it in for the seniors because they look for scholarships at the end and sometimes forget.
“(The cyber attackers) didn’t just suck out the information of our current students; they collected the information of all our students who are in the system,” he said. “So if you’re a past graduate, we may not have an address that would allow us to inform you (about the breach) and urge you to be careful.”
Fritz added that six of the district’s teachers appeared on a list of the potentially compromised. “We think they got their Social Security numbers, but we didn’t put that in,” he said. “I don’t know if the teacher did, but their information got sucked out too.”
Fritz said the district intends to remove the Social Security numbers of all its students and teachers from the PowerSchool system. “If it happens again, it won’t be a big deal,” he said.
Doug Hazen, the superintendent of schools in Lovell, echoed some of Fritz’s concerns.
“Even though we take data security really seriously on our campuses and servers, this happened with a third party and there’s nothing we could have done differently that would have affected this,” said Hazen. “That’s a frustration, that it affects all of us, our community, our students and our staff, so trying to make heads or tails of how much data is out there, and where it actually went, is difficult.”
Despite the breach, Hazen said he hasn’t sensed a high level of concern among employees and the families of students. His advice to them is to “monitor your own online activity. This is a good time to re-look at questions like, are you using the same password for every account? Do you see any odd activity, any log-ins or sign-ins that look suspicious? Just be vigilant over your online access.”
Matt Davidson, the Big Horn County School District No. 2 superintendent, wrote in an email to staff that, “As a district we are committed to maintaining the highest standards of data protection. While we have a number of systems in place to protect student and staff data, this breach was out of our control.
“However, PowerSchool has assured us that the breach is contained, and there is no evidence of ongoing unauthorized activity. We will be staying vigilant and reviewing any related accounts for unusual activity as a precaution.
“We are working closely with the State of Wyoming Cyber Assistant Response Effort (CARE) as well as the Wyoming Department of Education (WDE) through this breach.”
State guidance
In a letter, Lynn Budd, director of the Wyoming Office of Homeland Security, urged school officials to practice great cyber hygiene to reduce their vulnerability to cyber-attacks.
Some of the best practices cited in that letter include:
• Passwords should be reset and ensure personnel they should not use the same password to access multiple systems
• Phishing emails and Smishing (text phishing) are very common after data breaches and training staff and students on the indicators is paramount
• Identity theft can be a result of data breaches, so it is highly
encouraged to monitor business and personal accounts for abnormal activity.