We are learning more about a data breach at one of the largest student-information systems in the world that has potentially exposed the personal information of millions of students and teachers, including in Northeast Ohio.
PowerSchool stores data on individuals, including personal information and protected educational records, which can date back years.
News 5 spoke with Dominic Paluzzi, the co-chair of the Data Privacy and Cybersecurity Practice at McDonald Hopkins, who is representing school districts across the country and helping them navigate the situation.
Paluzzi said PowerSchool was compromised in late December. He said leaked messages made them go public this week, sooner than we would usually see in a case like this.
He said while this investigation is early and ongoing, it is believed to be a known threat actor group. There is no confirmation which one yet, but Paluzzi said the goal of these criminals is usually financial gain.
Paluzzi says they're usually after the data on a macro level, not individuals. He said they've received assurances from PowerSchool that there is no ongoing threat, and they believe the stolen data is not going to be leaked or made public.
While we await the final findings of exactly which districts and data were compromised, Paluzzi said families can act now.
"Parents should really be making sure that they are being diligent in reviewing credit reports, placing security and fraud alerts on theirs and their student's, to the extent they may be close to the age of 18 they will have a credit file as well with the credit bureaus," said Paluzzi. "Make sure you're checking your statements, checking your credit reports, and this is just good advice irrespective of whether we have a large global breach like we have."
Some of the districts in Northeast Ohio that have confirmed they're affected by the PowerSchool data breach are North Olmsted and Shaker Heights.
Paluzzi said these kinds of vendor breaches are becoming more and more common. He said his firm handled 2,500 of these kinds of situations last year. He said they even handled one a few years ago involving a PowerSchool competitor.
According to Paluzzi, the good news in this data breach is there's no sign the threat impacted school systems and that this remained within PowerSchool.
Paluzzi said along with placing fraud alerts, security freezes, and checking your credit reports, the best way to stay protected as a consumer is to also never give your social security number out or put it on forms, unless absolutely necessary.
News 5 reached out to PowerSchool.
We were sent this statement:
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.
As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.
PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously.
PowerSchool is committed to providing affected customers, families, and educators with the resources and support they may need as we work through this together.”
