Like many other parents, last month I got an email from my school district. It said that the district had been notified about a potential security incident involving PowerSchool, the app I use for my kid’s school.
It tracks their attendance, has information about who’s allowed to pick them up in case of emergencies, includes medical information.
My first thought was: That did not take any time at all. I knew once my kids started school, I should be prepared for the possibility that they would get caught up in a data breach eventually but they haven’t even completed their first year.
My second thought was sympathy for the administrators because, as a parent and a security editor, I was going to have some pretty detailed follow-up questions. While the initial email from PowerSchool, and the dedicated website, did answer a lot of the questions I would ask about any data breach, I was left with some specific questions about how this breach was affecting my school district and my family.
Here’s what I recommend you ask if you’ve been affected by the PowerSchool data breach, or if you find your kids or school involved in a similar situation.
The PowerSchool breach: What happened and where to start asking questions
My first questions were the big, overall questions that anyone would want to know about a data breach – what happened? When did PowerSchool notice the breach? And what did they do to contain or correct the breach?
These answers were answered both in the email and on the website: On December 28th, 2024, PowerSchool realized they had a cybersecurity issue on their hands, involving unauthorized access to their Student Information System (SIS) via the community-focused customer portal, PowerSchool.
PowerSchool did share that the information that was exposed may have included names, contact information, birthdates, limited medical information and (in some cases) Social Security numbers
No operations were disrupted; no malware or continued activity occurred; and PowerSchool immediately activated its protocols, including cybersecurity responses, third-party experts and an investigation.
PowerSchool included additional information on the site and in the email that answered my following questions: What kind of data was leaked? How many people were affected? Where do people go for further information? What steps do we need to take to get our personal information protected? Are credit monitoring or identity theft monitoring services being provided and if so, how do I access those services?
While they didn’t disclose how many people were affected, PowerSchool did share that the information that was exposed may have included names, contact information, birthdates, limited medical information and Social Security numbers (depending on whether or not the district in question stored that information in their SIS system).
PowerSchool’s statement said the majority of individuals did not have medical information or Social Security numbers involved; later news reports said that as many as 70 million students and educators across 6,500 districts may have been affected.
PowerSchool is notifying regulators, meaning Attorney Generals, on customers behalf as well as students, parents and guardians and offering complimentary identity protection services including credit monitoring services for those who have been affected. Information on how to access those services are available on their website about the data breach.
Where to keep asking questions: What I asked my district
While the PowerSchool website answered a lot of my general questions, I still had some specific ones – that pertained more to my school district, and to my family.
For example, was my district one of the ones that was affected by this breach? I hadn’t been notified that it had been but the email I had been sent seemed vague and I wanted to know specifically if I needed to proceed with looking into identity theft or credit monitoring services for my children.
I had more questions as well, like does my district have an SIS with PowerSchool, and if so, what do they store about my child on it? Is it cloud-based or an on-premise database? Does it use multi-factor authentication? Is my district planning on continuing to use PowerSchool? If so, how will they continue to inform us or update us about this breach? And how many other parents have had questions or concerns about the PowerSchool breach?
Some of the responses I got were surprising, and some were not as reassuring as I had hoped but I will say that everyone I contacted at my district was entirely forthcoming and helpful in getting me replies. No one, other than myself, had contacted them with any questions or concerns about the breach. Not a single parent in the entire district. This was very surprising to me.
PowerSchool's lack of transparency when it comes to how many people are affected, as well as the timeline for when to expect support, and the lack of information about the CrowdStrike investigation create a murkiness around the breach.
In response to my question about whether or not my district was affected by the breach, I was told “We are still waiting for the results of the internal PowerSchool investigation before being able to determine the scope of the breach with regards to our rosters.”
That’s fairly concerning, considering the initial email seemed to indicate that our district was not affected. If I need to look into identity theft protection or credit monitoring for my children, I’d rather start that process sooner rather than later – and I know that CrowdStrike completed their investigation for PowerSchool last month.
My contacts at my district were able to tell me about what kind of SIS my district has, what it has stored on it, and that they are working with their insurer to "review current cybersecurity measures and develop additional measures such as district-wide MFA and Titan USB key usage."
While this is reassuring there isn't an expected date as to when this will all roll-out, and given the increased need for additional security features when it comes to breaches, these types of added protections are becoming more and more important.
Lastly, I was told that while my district plans to continue to use PowerSchool, they will also keep parents informed about the breach as they are made aware of developments — and that PowerSchool will be reaching out to individual families affected by the breach. But the district website has a letter with updated information that wasn't sent directly to parents.
The PowerSchool website does not give any indication as to how long they expect it will take to notify families and includes a disclaimer that Experian or TransUnion may notify families who were affected, and for those who they had appropriate contact information. But if families are not expecting to be contacted by those companies, or don't know that their contact information isn't complete, they may slip through the cracks without being aware.
PowerSchool's lack of transparency when it comes to how many people are affected, as well as the timeline for when to expect support, and the lack of information about the CrowdStrike investigation create a murkiness around the breach although they have been largely forthcoming.
The back and forth from my district about whether or not it was actually involved in the breach creates anxiety in me as a parent, because I don't know how to respond. While it's never easy to handle a data breach of this magnitude, and everyone is doing their best, it's also worth learning from what we could do better – because there's going to be a next time.
More from Tom's Guide
