Cybersecurity Incident
On January 7, 2025, St. Louis Park Public Schools was informed by PowerSchool, the district's staff and student information system, of a cybersecurity incident involving unauthorized access to certain information within the PowerSchool system.
Staff and student logins to PowerSchool were not compromised, and we have been reassured that the incident has been contained. PowerSchool has stated that there is no evidence of malware or ongoing unauthorized activity. Furthermore, they believe the compromised data has been deleted and will not be made public or further disseminated.
Learn more about the incident and access past communication.
Communication
- 2/14/2025 Powerschool Cybersecurity Incident Update
- 1/29/2025 PowerSchool Update on Credit Monitoring
- 1/27/2025 PowerSchool Update
- 1/17/2025 PowerSchool Cybersecurity Incident Update
- 1/8/2025 Important Update on PowerSchool Cybersecurity Incident
2/14/2025 Powerschool Cybersecurity Incident Update
As you may know, PowerSchool provides software and services to your current or former school or the current or former school of a person to whom you are a parent or guardian. In compliance with State laws, we are writing to share with you some important information regarding a recent cybersecurity incident involving personal information belonging to the named individual. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
On December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of certain personal information from PowerSchool Student Information System (SIS) environments through one of our community-focused customer support portals, PowerSource. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
What Information Was Involved? |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Due to differences in customer requirements, the types of information involved in this incident included one or more of the following, which varied by person: name, contact information, date of birth, Social Security Number, limited medical alert information, and other related information. At this time, we do not have evidence that the named individual’s Social Security Number was involved. At this time, we do not have evidence that limited medical alert information for the named individual was involved. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
What Are We Doing? |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PowerSchool is offering two years of complimentary identity protection services to students and educators whose information was involved. For adult students and educators whose information was involved, this offer will also include two years of complimentary credit monitoring services. If your personal information was involved in this incident and you are interested in enrolling in credit monitoring or identity protection, please follow the steps for either Option 1 or Option 2 below: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
As soon as PowerSchool learned of the incident, we engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. We are not aware at this time of any identity theft attributable to this incident. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
What Can You Do? |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
You are encouraged to remain vigilant against incidents of identity theft and fraud by reviewing account statements for suspicious activity. PowerSchool will never contact you by phone or email to request your personal or account information. The enclosed “General Information About Identity Theft Protection” provides further information about what steps you can take. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Other Important Information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
If you have any questions or concerns about this notice, please call 833-918-9464, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays). |
1/29/2025 PowerSchool Update on Credit Monitoring
Identity and Credit Monitoring Update for United States Customers
Since our last update, we have initiated the process of notifying involved individuals in the U.S. about the resources now available to them. As part of this process, we have posted a notice to our website and published a press release. Credit monitoring and identity protection services are now activated and available.
In the coming weeks, Experian (on behalf of PowerSchool) will also be distributing direct email notifications to involved individuals for whom we have sufficient contact information. This does not apply to customers who have opted out of this process. The email notice will include further information about the information of theirs involved and the resources PowerSchool is offering. Additionally, we have coordinated with Experian to set up a toll-free call center for families and educators in case they have questions about these offerings: 833-918-9464.
For individuals located in Canada, we will be reaching out next week with further information on the resources made available to you.
To our customers and the families and educators that we serve, please know that we sincerely appreciate your continued patience throughout this process. We remain committed to supporting you.
1/27/2025 PowerSchool Update
PowerSchool Notifies Applicable Attorneys General Offices Regarding Cybersecurity Incident
As we have communicated previously, on December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of personal information from certain PowerSchool Student Information System (SIS) environments. Related to that incident, today, January 27, 2025, PowerSchool began the process of filing regulatory notifications with Attorneys General Offices across applicable U.S. jurisdictions on behalf of impacted customers who have not opted-out of our offer to do so. PowerSchool has also started the process of notifying Canadian regulators. We will provide a separate update to our international customers later this week.
Some U.S. customers may also have notification requirements with their state’s Department of Education where required. Since many customers have already notified and are in close contact with their state’s Department of Education, PowerSchool will defer to those customers on making these notifications.
We are providing this update for broad awareness, and no further action is required from our customers at this time. In the coming days, PowerSchool will begin to provide notification of the cybersecurity incident to current and former students (or their parents / guardians as applicable) and educators whose information was determined to be involved. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool.
We will be in contact directly with customers again soon with more information. Thank you to our customers, and their broader communities, for their ongoing patience and partnership.
1/17/2025 PowerSchool Cybersecurity Incident Update
The following message was shared with SLP administration.
Thank you for your continued patience and partnership as we address the recent cybersecurity incident. Over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community.
As a PowerSchool SIS customer whose information was involved, I am writing to provide you with updates on several important next steps:
Identity Protection and Credit Monitoring Services: PowerSchool has engaged Experian a trusted credit reporting agency, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.
Identity Protection: PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved.
Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved.
Notifications: Starting in the next few weeks, PowerSchool will be handling notifications to involved individuals and relevant state attorney general offices on your behalf. We hope to relieve the burden of these notifications on you and your institution. You may opt out if you would prefer to notify directly.
Community: PowerSchool will coordinate with Experian to provide notice on your behalf to students (or their parents / guardians if the student is under 18) and educators, as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).
Regulatory: PowerSchool will provide notification on your behalf to relevant state attorney general offices. You may also have notification requirements with your state’s Department of Education where required. Since many customers have already notified and are in close contact with their state’s Department of Education, PowerSchool will defer to you on these notifications.
I sincerely value the trust you have placed in PowerSchool. We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving you and our shared community.
We appreciate all that you are doing to support families and educators through this process.
Sincerely,
Hardeep Gulati
Chief Executive Officer, PowerSchool
1/8/2025 Important Update on PowerSchool Cybersecurity Incident
Message sent to families and staff on Wednesday, January 8, 2025
St. Louis Park Public Schools uses a staff and student information system hosted and operated by PowerSchool. On Tuesday, January 7, PowerSchool informed us of a cybersecurity incident involving unauthorized access to certain information within the PowerSchool Student Information Systems (SIS). No locally operated technology systems were compromised during this incident, and at this time, no action is required from you.
Our Information Services team is actively working with PowerSchool to understand the scope and details of the incident. PowerSchool has confirmed that they immediately implemented their cybersecurity response protocols, mobilized a cross-functional response team, engaged senior leadership, and retained third-party cybersecurity experts. Law enforcement has also been notified.
Staff and student logins to PowerSchool were not compromised, and we have been reassured that the incident has been contained. PowerSchool has stated that there is no evidence of malware or ongoing unauthorized activity. Furthermore, they believe the compromised data has been deleted and will not be made public or further disseminated.
We remain committed to keeping you informed. Our team is participating in PowerSchool's informational sessions, engaging with our Customer Success Manager, and coordinating with other affected schools to gather additional insights. We will share updates as more information becomes available.
Thank you for your understanding and patience as we navigate this situation.
Sincerely,
SLP Communications
Frequently Asked Questions
- When was the district notified of the breach?
- What is the district's response plan?
- Was my data released to the public?
- Is there anything I need to do?
- When will PowerSchool provide next steps to schools, educators and families?
- What steps is PowerSchool taking to prevent this from happening again?
When was the district notified of the breach?
What is the district's response plan?
Our Information Services team is actively working with PowerSchool to understand the scope and details of the incident. PowerSchool has confirmed that they immediately implemented their cybersecurity response protocols, mobilized a cross-functional response team, engaged senior leadership, and retained third-party cybersecurity experts. Law enforcement has also been notified.
Was my data released to the public?
Staff and student logins to PowerSchool were not compromised, and we have been reassured that the incident has been contained. PowerSchool has stated that there is no evidence of malware or ongoing unauthorized activity. Furthermore, they believe the compromised data has been deleted and will not be made public or further disseminated.
Is there anything I need to do?
When will PowerSchool provide next steps to schools, educators and families?
What steps is PowerSchool taking to prevent this from happening again?
PowerSchool is committed to protecting the security and integrity of our applications and regularly reviews and enhances it security policies and practices. They will continue to prioritize and invest significantly in their cybersecurity defenses.
St. Louis Park Public Schools' Information Services team is participating in PowerSchool's informational sessions, engaging with our Customer Success Manager, and coordinating with other affected schools to gather additional insights. We will share updates as more information becomes available.