GREENVILLE, Mich. — School database provider, PowerSchool is scrambling to recover and protect data after a hacker breached their system in mid-December.
The first district reported to be impacted in West Michigan: Greenville Public Schools.
Superintendent, Wayne Roedel, sent a note home to parents listing off what data had been accessed:
• Student names and GPS ID numbers
• Student addresses
• Student birth dates
• Student grade level
• Student entry and exit dates
• Student doctor name
• Student gender
• Home phone numbers
• Medical Alert Information (this alerts staff of emergency medical situations like asthma, nut allergy, allergy to bee stings, etc.)
Roedel assured parents that social security numbers— along with grades, GPAs, financial information, special education status, schedules, and email addresses— were not accessed during the breach.
According to the school, those responsible accessed staff and student information from around the globe by “exploiting the user account of a PowerSchool technical support employee” and downloaded millions of records between December 19 and 24, 2024.
“We are extremely disappointed in this security lapse and are in constant communication with PowerSchool to understand how this could have happened and what they are doing to prevent future incidents.”
Roedel went on to say the data management company believes the information will not be shared or made public and believe it has been deleted without further replication or dissemination.
PowerSchool is employing CrowdStrike—a cybersecurity firm—to investigate the breach and could provide information from their findings as early as next week. They are also updating credentials for all employees and restricting access to support system tools.
Greenville Public Schools says they are working with other impacted districts and state-and nation-wide tech organizations to respond to the breach on their end as well.
“We know that incidents like these are rare but can be upsetting, and we share your concern. Please know that we are doing everything we can to prevent these types of incidents in the future.”
Greenville is the 2nd school in Michigan reporting to have been impacted, after a district in the UP was identified earlier in the week.
Kalamazoo Public Schools (KPS) later told FOX 17 they were also impacted by the data breach, saying student names, addresses, grade levels and other information was taken. Names and email addresses of staff members were also accessed.
KPS notes the district does not keep a record of Social Security numbers in PowerSchool's system.
Read the full letter from Superintendent Dr. Darrin Slade:
Dear Families and Staff,
PowerSchool, our district’s student information system provider, has informed us of a data breach in their system, which affected thousands of districts around the world. PowerSchool discovered the breach on Dec. 28. Kalamazoo Public Schools was notified of the incident on Tuesday afternoon and we received details of the incident on Wednesday afternoon.
When PowerSchool became aware of the breach, they notified law enforcement, locked down the system, and engaged the services of CyberSteward, a professional advisor experienced in dealing with threat actors. PowerSchool’s logs show that basic student information such as name, address, grade level, and demographic information was exported. For staff members, names and school email addresses were accessed. KPS does not store Social Security numbers of students or staff in PowerSchool.
KPS has confirmed that this is the only information that was remotely accessed. PowerSchool has received reasonable assurance that all of the copied data has been destroyed by the threat actor and does not believe this data will be made public.
As an extra precaution, and in accordance with KPS policy, the district has contacted the district’s cyber insurance carrier to engage cybersecurity professionals and response teams, should their services become necessary. PowerSchool is also working with cybersecurity experts to investigate this incident and monitor for data leaks.
The breach targeted PowerSchool’s remote support platform which had access to our PowerSchool data. The systems and accounts that KPS manages were not compromised.
Kalamazoo Public Schools is committed to protecting the security and privacy of all data, in PowerSchool and all other systems we utilize. The district uses two-factor authentication for an extra layer of protection and requires staff to participate in security training and testing. We will do everything we can to fully understand this situation. We will share updates with families and employees as we learn more about the breach.
Dr. Darrin Slade
Superintendent of Kalamazoo Public Schools
PowerSchool released the following statement:
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.
"As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.
"PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously.
"PowerSchool is committed to providing affected customers, families, and educators with the resources and support they may need as we work through this together.”
Follow FOX 17: Facebook - X (formerly Twitter) - Instagram - YouTube
