PowerSchool Cyber Data Breach

January 9, 2025

On January 7, 2025, PowerSchool, the Student Information System used by River Trails School District 26, informed us and many other districts nationwide about a global security breach. The breach, which occurred on December 22, 2024, compromised the data of a significant number of school districts. PowerSchool became aware of the incident on December 28, 2024. In response, they immediately notified law enforcement, secured their systems, and enlisted the assistance of cybersecurity experts from CrowdStrike and Cyber Steward to investigate and protect the affected data. PowerSchool assures us that they have taken all necessary steps to contain the breach and to prevent further unauthorized access or misuse of the data. 

Types of Data Compromised: 

River Trails School District 26 has confirmed that the following data controlled by the District has been compromised:

• Student, family, custodial and emergency contact information
• Limited medical alert information (e.g., allergies, life-threatening conditions)
• Date of birth
• Dates, school, and grade of enrollment
• Free and Reduced Lunch status
• RTSD26 student ID number
• Ethnicity and gender 
• Staff school email addresses and personal contact information 

Importantly, PowerSchool has assured River Trails School District 26 that the following types of data have NOT been compromised by the breach: 

• Social Security Numbers  
• Financial information
• Student and staff pictures 

District Response:

While the breach occurred within PowerSchool-operated systems, River Trails School District has taken steps to safeguard the security and integrity of its own systems and protect our data. These steps include: 

• Collaborating closely with PowerSchool and participating in their ongoing webinars to stay informed.
• Continuously monitoring our internal systems, supported by robust network security measures.
• Maintaining two-factor authentication for all employee accounts as an added layer of security. 

PowerSchool's Response 

• Conducting a comprehensive investigation with third-party cybersecurity firm CrowdStrike. Their final forensic report is expected to be released at the end of next week and will provide a clearer understanding of the incident and its potential impact.
• Monitoring the dark web to ensure the data obtained during the breach is not disseminated.
• Strengthening their internal protocols and working with federal authorities, including the FBI.
• Continuing communications regarding the breach, including offering credit monitoring and support, which will be forthcoming. 

What You Can Do:

While PowerSchool has assured us the risk of misuse is low, we encourage you to take these precautions: 

• Review any recent communication from PowerSchool.
• Be cautious of any unsolicited emails or phone calls.
• Consider changing your PowerSchool password, especially if you reuse passwords across platforms.
• Monitor email accounts for any unusual activity. 

SOPPA (Student Online Personal Protection Act):  

The Student Online Personal Protection Act (SOPPA) is a law in Illinois designed to ensure that student data collected by education technology companies is protected. Here are the requirements of the law: 

• Notification of the breach: A school must notify the parent of any student whose covered information was involved in the breach no later than 30 calendar days after the school receives notice of a breach from an operator or determines a breach has occurred. This notification must include the date or estimated date of the breach, a description of the compromised information, contact information for the operator and school, contact information for consumer reporting agencies and the Federal Trade Commission, and a statement that the parent may obtain information about fraud alerts and security freezes from the FTC and consumer reporting agencies. Notification may be delayed if a law enforcement agency determines it would interfere with a criminal investigation. HERE is more helpful information. 
• Public disclosure of breaches: Schools must also maintain a list of breaches on their website or make it available at their administrative office. The list must include the number of students affected (unless this would violate the Personal Information Protection Act), the date or estimated date of the breach, and the name of the operator if the breach occurred under Section 15. A school may omit from this list any breach involving fewer than 10% of the student body, breaches for which parents are not required to be notified, breaches occurring prior to July 1, 2021, or any breach previously posted on this list more than 5 years prior to the update. 
• Updating Breach Lists: The school must update the list of breaches at least twice per year, no later than 30 calendar days following the start of a fiscal year and no later than 30 days following the beginning of a calendar year. 

Next Steps: 

At this time, River Trails School District 26 is actively working with PowerSchool to monitor the situation and conduct a thorough investigation of the breach. PowerSchool has indicated that a full incident report will be completed by January 17, 2025. While PowerSchool does not anticipate misuse of personal information, they are offering credit monitoring services to affected adults and identity protection for impacted minors, as required by regulations. If you would like to contact PowerSchool directly, you may do so at Security@PowerSchool.com.  

Once the investigation concludes, the parents of each student whose information was compromised will receive individual notice including additional information about the incident and available resources. River Trails School District 26 is committed to providing transparent updates as more information becomes available. In the meantime, please be on the lookout for additional updates regarding the ongoing investigation. 

Sincerely,

Jodi J. Megerle

Superintendent River Trails School District 26