PowerSchools breach exposed data of 2 Pima County school districts

A breach at California-based educational software company PowerSchools exposed the data for at least two school districts in Pima County.

School districts that use PowerSchool in Pima County include Ajo
Unified School District, Flowing Wells, Pima County JTED, Sahuarita
Unified, Sunnyside, and Vail School District. While the hack involved
PowerSchool’s services, not all districts that use the site were
affected by the attack.

Vail and Flowing Wells data was exposed by the hack. Other area districts have not responded to questions from the Sentinel.

PowerSchools publicly announced the breach on Monday, telling the public that hackers infiltrated parts of the company’s student information systems through one of its websites. The company said they are “not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.” 

“We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment,” the company said. 

PowerSchools—which provides cloud-based software for K-12 schools—said the breach involved some information, including social security numbers and medical information. “We are working with urgency to complete our investigation and identify the individuals whose data may have been involved,” the company said. 

The company said they informed school districts last week about the breach, and are “coordinating” with districts and schools to provide more information and resources, including offering credit monitoring and identity protection services if necessary.

The names, phone numbers and emails of parents and guardians were also potentially compromised, said PowerSchools. Hackers were able to use a stolen credential, or login, to access the internal customer support portal, the company said. PowerSchool currently has 16,000 customers, and is used by more than 50 million students across North America, the company said.

Tucson Sentinel contacted local districts known to use the company’s systems, but only officials from Flowing Wells responded immediately. 

In an email, Tabetha Finchum, an assistant superintendent for the district, said FWUSD was impacted by the breach, and she included a letter sent out last week. 

In the letter, Superintendent Kevin Stotzfus wrote PowerSchool confirmed that Flowing Wells schools are “among the many schools around the country impacted by this incident.” 

“The Flowing Wells School District prioritizes the safety and privacy of our students, staff, and families. It is important to note that this breach is on PowerSchool’s end and has not compromised any of our other systems in Flowing Wells,” Stotzfus wrote. “PowerSchool has confirmed that the breach is contained and that no malware was involved, and we have determined that our database is fully intact and functional.” 

Stotzfus said passwords were not compromised, but the hackers may have accessed student, family and employee demographic information. Other data, including student or parent Social Security numbers were not exposed because the district does not maintain those records, he said. 

He added the company has assured Flowing Wells they have taken steps to prevent another breach, and have assured officials “this type of event will not happen again.” 

Officials at Vail emailed parents on Friday telling them about the breach, noting they were among nearly 16,000 districts and schools affected, KOLD reported. 

“It is worth noting that this breach is on PowerSchool’s end and has not affected any of our other systems in the district,” Vail officials wrote in an email. “Further, PowerSchool has assured their customers that they have taken significant steps to ensure this type of event cannot happen again.” 

Vail officials said the district “employs a comprehensive set of cybersecurity tools and software as part of our standard best practices.” 

“As soon as we became aware of the incident, our district technology team worked with PowerSchool and also partnered with additional third-party cybersecurity experts to conduct a thorough forensic investigation, verify what happened, and ensure that our systems remained secure,” they said.