PowerSchool Data Breach

PowerSchool Cybersecurity Incident Information

>PowerSchool Communications

We now have a public statement and community facing FAQ available on our website.

>Superintendent Communications

 

The following message was sent to families at 5:38pm on January 8, 2025, via School Messenger
Good evening,
As my earlier message this morning noted, PowerSchool has informed us that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and that Millis data may have been accessed.  A large number of districts have been impacted and PowerSchool is still determining what may have been accessed in each affected district.  At this point we don’t know how (or if) Millis has been impacted.

According to PowerSchool, it has “engaged our cybersecurity response protocols and mobilized a cross-functional response team, . . . and also informed law enforcement. . . .Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment.” PowerSchool has indicated that:  “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.”

PowerSchool has informed us that it will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.  Again, at this time we don’t know if Millis has been affected to this degree.

Millis does not have direct confirmation that it has been impacted.  PowerSchool sent a general notice to all districts.  We are following up with PowerSchool to find out more information on how Millis was specifically affected and for more details on the incident.  As we receive more information, we will relay this to families and the community and to any specific individuals impacted. 

Thank you,

Bob Mullaney, Superintendent

 

The following message was sent to families at 10:27am on January 8, 2025, via School Messenger
Good morning,
We have been made aware that PowerSchool, our Student Information System provider, is currently investigating a recent data security incident and that it is likely that some student and staff information in our district has been affected.  The potentially impacted data may include student and teacher information such as names, addresses, contact details, and grades as well as parent/guardian information.  We are currently gathering more information about this incident and how it may have impacted our school community.  A number of other districts in the state and country may have been affected as well and PowerSchool is working with all the districts potentially affected.  We understand that data security incidents are concerning and we are committed to protecting the privacy of our students and staff.  The school will provide further updates and recommendations on things families might do to mitigate the impact of the data breach as soon as more information becomes available.   

 

The following message was sent to teachers at 10:26am on January 8, 2025, via internal email
Good morning,
We have been made aware that PowerSchool, our Student Information System provider, is currently investigating a recent data security incident and that it is likely that some student and staff information in our district has been affected.  The potentially impacted data may include student and teacher information such as names, addresses, contact details, and grades as well as parent/guardian information.  

We are currently gathering more information about this incident and how it may have impacted our school community.  A number of other districts in the state and country may have been affected as well and PowerSchool is working with all the districts potentially affected.  We understand that data security incidents are concerning and we are committed to protecting the privacy of our students and staff.  We'll keep you informed and provide further updates and advice on things staff might do to mitigate the impact of the data breach as soon as more information becomes available.  Ryan and his team have been in contact with PowerSchool and are working towards fully understanding what happened and what we might need to do

Thanks,

Bob

 

>What happened?

On December 28, 2024, PowerSchool discovered a security breach in their PowerSource customer support portal. An unauthorized individual gained access to some PowerSchool Student Information System (SIS) customer data by using compromised login credentials. This breach affected school districts nationwide.

Upon learning of this, PowerSchool immediately launched a comprehensive investigation, involving their cybersecurity team, senior leadership, and external experts. They also notified law enforcement.

The breach has been contained, and they have no evidence of any ongoing unauthorized activity or malware within their systems. Their operations remain uninterrupted, and they continue to provide normal services to their customers.

They have taken all necessary measures to prevent further unauthorized access to the affected data. They believe the data has been deleted and is not at risk of being shared or made public.

The compromised credentials have been deactivated, and access to the affected portal has been restricted.

They have actively notified affected SIS customers and will be working closely with them to communicate with their educators, families, and other stakeholders.

>What data was compromised?

Two separate tables of information was extracted from the PowerSchool Student Information System, a student information table and a teacher information table.

Data in the student information table includes:
-Student directory information (for example, address, phone number)
-Student demographic information (for example, date of birth, grade level)
-Student medical alert information (for example, asthma, diabetes, allergy details, doctor name)
-Parent/guardian directory information (for example, address, phone, emergency contact name and phone)
-Social Security Numbers in a few instances (1 current student)

Data in the teacher information table includes:
-Staff directory information (for example, address, phone number, school email, job title)
-Social Security Numbers in a few instances

>Was private health information compromised?

No medical records were compromised, as they are stored in a separate system. However, some medical alerts and physician information related to students were disclosed.

>When did the breach occur at Millis Public Schools?

Millis was first probed by the hacker on December 20, 2024 and data was downloaded on December 22, 2024.

>Is PowerSchool currently safe to use?

PowerSchool has assured us that this security incident did not involve any compromise of passwords. We have carefully reviewed this information and determined that it is safe to continue using PowerSchool SIS for both students and staff.

>Will PowerSchool provide identity and/or credit monitoring services to those individuals affected by the data breach?

At this time, we are waiting for additional information from PowerSchool regarding this possibility.

Website by SchoolMessenger Presence. © 2025 SchoolMessenger Corporation. All rights reserved.