Data Breach 2025-01-07
Below is an official notification of a breach involving a District 94 vendor, Powerschool. If more information becomes available about this breach, it will be posted here.
1: Date of the breach
December 21, 2024 & December 22, 2024
2: Description of the covered information that was compromised
Student records containing full name, full address, email address, home phone number, gender, date of birth, parental contact information, guardian contact information, doctor's name, doctor's phone number, year in school, and discipline and medial alert information.
Teacher records containing full name, full address, email address, home phone number, school phone extension, network login ID, title, and Zoom room ID.
We have no indication that data such as social security numbers, birth certificates, medical records, or financial information was compromised.
3: What happened?
On December 19th, 2024, thread actors used a compromised support agent's login credentials to access Powerschool's PowerSource support system. On December 21st/22nd, 2024, the threat actors started using the support's system maintenance access account to export teacher and student data from a large portion of Powerschool customers' servers, including D94.
On December 28th, 2024, the threat actors contacted Powerschool through an intermediary security service and an agreement was made to ensure that the exported data was deleted without a possibility of recovery.
Powerschool notified customers of the data breach on January 7th, 2025 after ensuring that all compromised accounts were deactivated, new security procedures have been implemented, and that they were sure that no additional malware had been installed.
D94 notified all families about the breach on January 8th, 2025.
4: What happens if my or my child(ren)’s information is posted on the internet? Will I be notified?
As of this time, there is no evidence to suggest that this data has been misused, posted, or distributed. Powerschool will utilize CrowdStrike to monitor the dark web for any data leaks. D94 will also use their own monitoring service as well. D94 will contact any families directly should any leaked data be found on the internet.
PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.
5: What happens if I or my child(ren) are the victims of fraudulent activity or identity theft as a result of this breach?
In the unlikely event that this information is used for fraudulent activity or identity theft, report the activity to the Federal Trade Commission (FTC) online at IdentityTheft.gov or by phone at 1-877-438-4338. The FTC will collect the details of your situation and advise you on next steps.
6: What steps is D94 taking to prevent this from happening again?
Powerschool has updated their security procedures by removing the remote access maintenance system from the internet. Support Engineers must connect to Powerschool's VPN via multi-factor authentication in order to remotely access customer servers.
D94 has disabled the maintenance remote access service on our Powerschool server and will only enable it when support is requested.