PowerSchool Breach FAQ

A: Unauthorized access was detected in PowerSchool’s Student Information System (SIS). Several websites and news outlets provided overviews of the incident. For more information, please refer to the following articles:

• PowerSchool hack exposes student, teacher data from K-12 districts. 
• PowerSchool data breach possibly exposed student, staff data.
• PowerSchool FAQ

PowerSchool has engaged the cybersecurity firm CrowdStrike to conduct a forensic analysis and share findings towards the end of January.

A: Two default tables from PowerSchool SIS were compromised: one with demographic information of students and one with demographic information of teachers. These tables are a set of default fields provided by PowerSchool, many of which the district does not actively use (there is no data populated in the field).

The following tables outline the percentage of data exposed for each field, calculated as the total number of records for that field divided by the total number of student/employee records breached. This breakdown shares the scope of the exposed data and highlights which data points were more significantly affected. Please refer to the tables below. These are PDF files that should be accessible via web, but may prompt a phone to download a file.

• Student table
• Teacher table

A: PowerSchool has confirmed that they will provide these services, for those applicable but details have not yet been shared. Regardless, we advise steps similar to those in these resources for all impacted by the breach:

1. How to protect your child's identity amid PowerSchool data breach
2. PowerSchool Incident: A few resources for teachers, parents, and former students

We are writing to inform you of a recent nation-wide data security incident involving PowerSchool, a platform used by Arlington Public Schools as well as many other school districts throughout the state and country. During this incident, some sensitive information, including your Social Security number, was accessed without authorization. We deeply regret this situation and take the protection of your personal information very seriously.

As soon as we became aware of the breach, we took immediate action to secure the affected systems and launched a thorough investigation in collaboration with PowerSchool and neighboring communities. While we are implementing additional measures to safeguard our data moving forward, we want to ensure that you have the information and resources you need to protect your identity.

Under Massachusetts law, you have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

 

You may also place a security freeze on your credit reports, free of charge. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. Under federal law, you cannot be charged to place, lift, or remove a security freeze.

 

You must place your request for a freeze with each of the three major consumer reporting agencies: Equifax, Experian, and TransUnion. To place a security freeze on your credit report, you may send a written request by regular, certified or overnight mail to the addresses below. You may also place a security freeze through each of the consumer reporting agencies’ websites or over the phone, using the contact information below. 

 

Equifax Security Freeze

P.O. Box 105788

Atlanta, GA 30348

1-800-349-9960

https://www.equifax.com/personal/credit-report-services/

 

Experian Security Freeze

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

https://www.experian.com/freeze/center.html

 

TransUnion Security Freeze

P.O. Box 160

Woodlyn, PA 19094

1-888-909-8872

https://www.transunion.com/credit-freeze

 

In order to request a security freeze, you will need to provide some or all of the following information to the credit reporting agency, depending on whether you do so online, by phone, or by mail:

 

1.     Your full name (including middle initial as well as Jr., Sr., II, III, etc.);

2.     Social Security Number;

3.     Date of birth;

4.     If you have moved in the past five (5) years, the addresses where you have lived over the prior five years;

5.     Proof of current address, such as a current utility bill, telephone bill, rental agreement, or deed;

6.   A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.);

7.     Social Security Card, pay stub, or W2;

8.     If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft. 

The credit reporting agencies have one (1) to three (3) business days after receiving your request to place a security freeze on your credit report, based upon the method of your request. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password (or both) that can be used by you to authorize the removal or lifting of the security freeze. It is important to maintain this PIN/password in a secure place, as you will need it to lift or remove the security freeze.

 

To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must make a request to each of the credit reporting agencies by mail, through their website, or by phone (using the contact information above). You must provide proper identification (including name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report. You may also temporarily lift a security freeze for a specified period of time rather than for a specific entity or individual, using the same contact information above. The credit bureaus have between one (1) hour (for requests made online) and three (3) business days (for request made by mail) after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

 

To remove the security freeze, you must make a request to each of the credit reporting agencies by mail, through their website, or by phone (using the contact information above). You must provide proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have between one (1) hour (for requests made online) and three (3) business days (for requests made by mail) after receiving your request to remove the security freeze.

Free Credit Monitoring 

PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was exfiltrated from your PowerSchool SIS, which will also include two years of complimentary credit monitoring services for all adult students and educators whose information was involved, regardless of whether an individual’s Social Security number was exfiltrated. 

Experian, a trusted credit reporting agency, will be helping us to provide these services. Details on how to enroll will be included as part of individual notifications. As the offer is specific to this incident, the details contained in the forthcoming enrollment notification will be required to enroll, and cannot be obtained directly from Experian. 

Credit monitoring agencies do not offer credit monitoring services for individuals under the age of 18. If a parent / guardian enrolls an individual under the age of 18 in the offered identity protection services, the individual, upon turning 18, will have the opportunity to enroll in credit monitoring services for the duration of the two-year coverage period. 

How to Protect Against Identity Theft in the Wake of a Data Breach 

 

We recommend viewing both the Federal Trade Commission’s comprehensive website on identity theft and the State’s website on reporting and preventing identity theft. These websites provide information on how to place fraud alerts on your credit file, how to review your financial documents for suspicious activity, and other helpful information regarding what to do in the event that your personal identifying information has been compromised. 

 

If you should have any further questions, please contact Matt Coleman at [email protected].

Dear PowerSchool User or Parent / Guardian of User:

You are receiving this notice on behalf of Matthew Coleman (the “named individual”) from PowerSchool. As you may know, PowerSchool provides software and services to your current or former school or the current or former school of a person to whom you are a parent or guardian. In compliance with State laws, we are writing to share with you some important information regarding a recent cybersecurity incident involving personal information belonging to the named individual.

What Happened?

On December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of certain personal information from PowerSchool Student Information System (SIS) environments through one of our community-focused customer support portals, PowerSource.

What Information Was Involved?

Due to differences in customer requirements, the types of information involved in this incident included one or more of the following, which varied by person: name, contact information, date of birth, Social Security Number, limited medical alert information, and other related information. At this time, we do not have evidence that the named individual’s Social Security Number was involved. At this time, we do not have evidence that limited medical alert information for the named individual was involved.

What Are We Doing?

PowerSchool is offering two years of complimentary identity protection services to students and educators whose information was involved. For adult students and educators whose information was involved, this offer will also include two years of complimentary credit monitoring services. If your personal information was involved in this incident and you are interested in enrolling in credit monitoring or identity protection, please follow the steps for either Option 1 or Option 2 below:

Option 1: If the Named Individual is 18 or Over Enrollment Instructions • Ensure that you enroll by May 30, 2025 (Your code will not work after this date at 5:59 UTC) • Visit the Experian IdentityWorks website to enroll: https://www.experianidworks.com/plus • Provide your activation code: CTYU949PRK • For over the phone assistance with enrollment or questions about the product, please contact Experian’s customer care team at 833-918-9464 • Be prepared to provide engagement number B138812 Details Regarding Your Experian Identityworks Credit Plus Membership A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks: • Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.* • Credit Monitoring: Actively monitors Experian file for indicators of fraud. • Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web. • Identity Restoration: Identity Restoration agents are immediately available to help you address credit and non-credit related fraud. • Experian IdentityWorks ExtendCARETM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired. • $1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers. Option 2: If the Named Individual is Under 18 Enrollment Instructions • Ensure that you enroll by May 30, 2025 (Your code will not work after this date at 5:59 UTC) • Visit the Experian IdentityWorks website to enroll: https://www.experianidworks.com/minorplus • Provide your activation code: CEBP456TRK • For over the phone assistance with enrollment or questions about the product, please contact Experian’s customer care team at 833-918-9464 • Be prepared to provide engagement number B138813 Details Regarding Your Experian Identityworks Credit Plus Membership A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks: • Social Security Number Trace: Monitoring to determine whether enrolled minors in your household have an Experian credit report. Alerts of all names, aliases and addresses that become associated with your minor’s Social Security Number (SSN) on the Experian credit report. • Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web. • Identity Restoration: Identity Restoration agents are immediately available to help you address credit and non-credit related fraud. • Experian IdentityWorks ExtendCARETM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired. • $1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers.

As soon as PowerSchool learned of the incident, we engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. We are not aware at this time of any identity theft attributable to this incident.

What Can You Do?

You are encouraged to remain vigilant against incidents of identity theft and fraud by reviewing account statements for suspicious activity. PowerSchool will never contact you by phone or email to request your personal or account information. The enclosed “General Information About Identity Theft Protection” provides further information about what steps you can take.

Other Important Information.

If you have any questions or concerns about this notice, please call 833-918-9464, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays).

Sincerely,

The PowerSchool Team