PowerSchool Data Breach | January 2025

  • Rochester City School District Families and Staff,

    We want to inform you about a cybersecurity incident involving PowerSchool, the District’s student management system, which was reported earlier this month. This incident involved unauthorized access to information through a compromised credential on one of PowerSchool’s customer support portals. It affects thousands of districts across the United States and Canada.

    PowerSchool has confirmed that unauthorized access occurred on their PowerSource support portal, exposing user data. PowerSchool is actively working with law enforcement and cybersecurity experts to investigate the situation and will continue to share updates as they are available.  As soon as PowerSchool learned of the incident, they engaged in cybersecurity response protocols and mobilized a team of cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse.

    PowerSchool has indicated that they are not aware of any identity theft attributable to this incident. Through discussions with PowerSchool leadership, it was made clear there was no additional action RCSD could have taken to prevent the breach. PowerSchool said the incident was an attack on the company, not any particular school system.

    Starting in the next few weeks, in collaboration with Experian, PowerSchool will provide notice to students (or their parents/guardians, if the student is under 18) and staff whose information was involved and a phone number to answer any questions you may have about the incident. PowerSchool and Experian now offer identity protection and credit monitoring services, as applicable.

    PowerSchool has posted a public statement and a community-facing FAQ document on its website. These resources will be updated regularly to help school communities understand the extent of the incident and its implications.

    Our technology team has identified the specific RCSD information that may have been accessed:

    • Approximately 134,000 student records, including First Name, Last Name, Date of Birth (DOB), Home Address, email address, all phone numbers, and emergency contacts (name, phone number, address, email). In addition, legal alerts may have been accessed; and medical diagnoses and conditions, including alerts for allergies, diabetes, asthma, etc., and the doctor’s name and phone number may also have been accessed.

    • Staff information, including First Name, Last Name, assigned school, email address, and New York State TEACH ID number.

    I encourage you to visit https://www.powerschool.com/security/sis-incident/ for up-to-date information on the cybersecurity incident. We are committed to keeping our community informed and will provide updates as we learn more. Thank you for your understanding and support as we address this matter.

    Sincerely,

    Dr. Terri Orden
    Executive Director of Accountability and Program Efficiencies
    RCSD Data Privacy Officer

    * Updated January 30, 2025