Several Utah school districts affected by vast PowerSchool cyberattack

SALT LAKE CITY — Student data from several Utah school districts was compromised following a recent cyberattack on the popular PowerSchool online education platform.

Salt Lake City, Cache, Iron, Washington, Weber and Park City are among the many Utah school districts that utilize PowerSchool — a popular education technology software platform that students, teachers and parents use to track personal data such as grades, attendance and schedules.

Sensitive student and teacher information was reportedly stolen following last month's hack. PowerSchool is utilized by over 60 million students in over 90 countries, according to the company website.

PowerSchool reported that personal information such as names, addresses, and, in some cases, Social Security numbers and medical information were stolen by "unauthorized actors" in a data breach on Dec. 28, 2024, Newsweek reported.

Data breaches can lead to identity theft, leaving victims vulnerable to fraud and other illegal activities.

Local districts respond to PowerSchool hack

Several of the Utah school districts affected by the PowerSchool security breach have released statements on their respective websites.

"PowerSchool informed our leadership team on Tuesday, Jan. 7, 2025, that they experienced a cybersecurity incident involving unauthorized access to certain PowerSchool SIS customer data," according to the Cache County School District site.

"While our PowerSchool data is stored on a district server, the company maintains credentials to our PowerSchool systems so they can provide support to our customers. These credentials, housed at PowerSchool, were compromised and were used to obtain unauthorized access to PowerSchool systems and data throughout the country, including our district and at least five other districts in Utah."

According to the Cache school district, PowerSchool reported that the following student information was compromised during their data breach:

• Student state and district identification numbers.
• Student names.
• Enrollment status, grade levels, schedules, year of graduation and school location.
• Gender, ethnicity, date of birth, address and phone numbers.
• Parent and emergency contact information (names, addresses and phone numbers).
• Other details such as lunch balances, fee waiver status and locker numbers.

Cache County representatives noted that it does not store Social Security numbers in PowerSchool, so that information was not compromised.

Washington, Iron school districts respond to breach: 'Deeply concerning'

The Washington School District posted a similar update on its site, saying, "PowerSchool has assured us that the incident is contained.

"In addition, the District has restricted PowerSchool's access to our systems until we can ensure that all PowerSchool's systems are secure. Our technology director and I.T. department are actively investigating the situation to thoroughly evaluate its impact on both staff and student data within our District.

"This news, along with PowerSchool's delay in reporting it to us, is deeply concerning. Affected data may include sensitive personal information such as names, addresses, date of birth and email addresses.

"Social Security numbers were not involved and the District does not store any Social Security numbers in PowerSchool."

Iron County School District sent an email referencing the PowerSchool data breach parents earlier this week:

"The private information accessed could include names, addresses, phone numbers, email addresses and birth dates. Social Security numbers are not kept in PowerSchool by Iron County School District," the email reported.

The Iron County email added that the cyberattack was directed to the PowerSchool platform, so there was nothing the district could have done differently to avoid access to the compromised data.

"However, we will continue to work with PowerSchool and other vendors to ensure the security of personal information."

"We anticipate PowerSchool will be providing us with resources and additional information … we will share the relevant information as it becomes available to us," the email stated.

How did the PowerSchool hack happen?

The hacker (or hackers) that accessed PowerSchool data did so by using a "compromised credential" to enter PowerSource, an online portal customers can use to get help with PowerSchool's various products for schools, Education Week reported.

Information the hacker accessed "relates to families and educators," and those affected are users of PowerSchool's student information system.

When asked about how many people may be impacted by the data breach, a spokesperson for PowerSchool told Newsweek they "don't have specifics to share at this time. I can tell you that we are still working through our detailed data review, and our priority is providing all necessary details to our customers as soon as possible."

The company said "a certain subset of the customers" may also have had their Social Security numbers and "other personally identifiable information, and limited medical and grade information" stolen.

In response to the breach, PowerSchool has deactivated the account used to access the system and "conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts," according to Education Week.

The company also plans to provide credit monitoring to "a subset" of adults affected by the breach and identity protection services to minors who were affected.

Schools remain a prime target for cyberattacks, Education Week reported, "because they store so much data, have lots of staff and students with access to their systems and have increasingly relied on online storage systems to store that data."

Related topics