A data breach of South’s grade and attendance tracking system, PowerSchool, has leaked students personal information and the information of their guardians, IEP and 504 Plan information, and a limited number of Social Security numbers, District 225 (D225) officials said in an email sent to district families and staff. Additionally, teachers’ school emails, phone numbers, and department information may have been breached, the email said.
The breach has affected PowerSchool users nationwide, however approximately 53,740 records of current and former South students were accessed, as well as 5,195 employee records, the email said. D225 is confident that any sharing or circulation of this information is limited, the email added.
“Currently, there is no evidence that data taken from PowerSchool’s systems has been publicly disclosed.” Ryan Manly, Senior Technology Services Manager, said. “[D225 uses] various security measures for our [technology] systems, including multi-factor authentication.”
Using their own cybersecurity firm, D225 is addressing any information that may have been leaked, Manly said.
Moving forward, D225 will review which IT staff has access to information to prevent possible future breaches, Manly said. Additionally, PowerSchool has hired cybersecurity company Crowdstrike to investigate the breach and will be taking further steps to protect user’s data, the email said.
An Illinois law, the Student Online Personal Protection Act (SOPPA), sets rules and regulations on student education software, Manly said. SOPPA mandates that when schools form partnerships with educational software companies, they must have a provision in their agreement about data breaches and protection. This prompted D225 to notify students and families of the breach as soon as possible, Manly added.
“We view every breach, not just our own, as a learning opportunity,” Manly said. “This incident is no exception. We are analyzing the nature of the incident and applying lessons learned to our policies and procedures.”