PowerSchool's Data Breach
UPDATED: January 9, 2025
We will share new information from PowerSchool as it becomes available.
PowerSchool is an education software company that supports over 60 million students and 18,000 customers worldwide. It serves as the student information system (SIS) our district uses to manage student data, including grades, scheduling, attendance, and other education records.
PowerSchool informed our leadership team on Tuesday, January 7, 2025, that they experienced a cybersecurity incident involving unauthorized access to certain PowerSchool SIS customer data. While our PowerSchool data is stored on a district server, the company maintains credentials to our PowerSchool systems so they can provide support to our customers. These credentials, housed at PowerSchool, were compromised and were used to obtain unauthorized access to PowerSchool systems and data throughout the country, including our district and at least five other districts in Utah.
PowerSchool reported the following student information was compromised during their data breach:
- Student state and district identification numbers
- Student names
- Enrollment status, grade level, schedules, year of graduation, and school location
- Gender, ethnicity, date of birth, address, and phone number
- Parent and emergency contact information (names, addresses, and phone numbers)
- Other details, such as lunch balances, fee waiver status, and locker numbers
NOTE - Cache County School District does not collect nor store social security numbers in PowerSchool, so this information was not compromised.
While teacher data was included in the breach, the information stored in PowerSchool was largely limited to first and last names and email addresses, with other minor information potentially affected. There were no social security numbers, payroll information, or other critical data compromised. Only staff members with accounts in PowerSchool were included in the breach; other staff would not have been impacted.
PowerSchool representatives have assured us that data obtained during this breach is now contained and that there is no ongoing threat. They stated that the data has been deleted, no backup copies were made, and the data will not be shared or made public. PowerSchool will continue researching this incident and will communicate with districts about next steps for protecting private data. We will share that information with you as soon as we receive it.
Please note that this breach involves PowerSchool’s systems and platforms and was not the result of a security lapse in district IT systems. While we do utilize external systems that sync our student data, we are very thoughtful about which have access to sensitive information. Due diligence is performed to limit the data provided to these partners while still making the desired services possible. We have privacy agreements in place for all external systems where student data is stored.
Cache County School District takes data security and privacy very seriously. We truly care about protecting student and staff data. Further information will be communicated to individuals who have been affected as we work to determine the scope of impact and as PowerSchool contacts us with additional information (including resources and next steps). Thank you for your understanding and patience as we navigate this situation.