The PowerSchool Cybersecurity Incident

On December 28th, PowerSchool, a leading education technology software platform for North American schools, confirmed a cyberattack that resulted in the theft of sensitive student and teacher information.

This breach involved unauthorized access to certain PowerSchool Student Information System (SIS) data through one of its community-focused customer portals, PowerSource.

PowerSchool Breach: A Lesson in Cybersecurity and Third-Party Vendors

PowerSchool provides a cloud-based platform to K-12 schools across North America, supporting over 60 million students.

The company offers a comprehensive range of services to help school districts operate efficiently, including platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.

According to PowerSchool’s statement, the company is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as usual. There is no evidence that other PowerSchool products were affected by this incident or that malware or continued unauthorized activity exists within the PowerSchool environment.

On January 13th, PowerSchool reported that some personally identifiable information (PII), such as social security numbers (SSN) and medical information, was involved for certain individuals. The company is working urgently to complete its investigation and identify the individuals whose data may have been compromised.

Key Takeaway: Do not assume third-party vendors have you covered. As Ed Law 2d requires, it is not enough to identify and document your vendors; it is essential to understand the security controls your vendor uses to secure your data.

Best Practices for K-12 School Districts:

• Identify all applications containing sensitive data: School administrators must be vigilant about updating their application inventory and identifying applications that store, process, and transmit sensitive information.
• Evaluate third-party vendor risk: Assess the risk when your data is stored, processed, or transferred using your vendor’s service. If you need help…
• Have Sourcepass GOV conduct a cybersecurity risk assessment: Assess third-party risk, identify gaps in security control best practices, and receive recommendations for closing those gaps.

The PowerSchool breach underscores the importance of robust cybersecurity measures in protecting sensitive educational data. Schools and parents must remain proactive in safeguarding student information, whether it is locally stored or held by a third party.

Want to Learn More? Sourcepass GOV Can Help! 

At Sourcepass GOV, our data security experts evaluate the risk of losing student and employee data confidentiality, integrity, and availability. We provide a comprehensive report with recommendations to strengthen security safeguards and protect your critical data.

Contact Sourcepass GOV today if you have any questions about third-party risk, cybersecurity risk, or protecting sensitive data.