PowerSchool data breach exposes student and staff information, prompts security enhancements

Concerns arise as PowerSchool was hacked, potentially revealing personal information about students.

By Ana Hurtado, Editor-in-Training • March 15, 2025

A student logs into PowerSchool on a Chromebook. The student’s ID has been digitally removed from the image for privacy.

When it comes to school, security and safety must be a priority for the well-being of students, staff, and the community. On March 6, PowerSchool users received a notice about a cybersecurity “incident” involving the unauthorized exfiltration of personal information. This included one or more of the following: name, date of birth, contact information, Social Security Number, limited medical alert information, and more.

Any staff member or student whose information was compromised in the breach has been offered two years of complimentary identity protection and credit monitoring services.

The following email was written by Superintendent Kurt Johansen:

“Dear West Chicago Community High School,

We are writing to inform you of a recent incident involving PowerSchool, a vendor that provides important services to our school district. On December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain data through their customer support portal, PowerSource. Once aware, PowerSchool immediately partnered with CyberSteward, a cybersecurity incident response company. Through their work with CyberSteward, PowerSchool informed us that they have ‘a high degree of confidence’ that the compromised data has been deleted and is no longer accessible.

PowerSchool notified West Chicago Community High School on January 7 informing us that ‘your product was not impacted’ by the cybersecurity incident. Unfortunately, earlier today we became aware that the individuals who breached PowerSchool were able to access limited student and staff information. Given the information received, we have no indication that data such as Social Security numbers, birth certificates, medical records, or financial information was compromised.

PowerSchool has informed us that they ‘have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse,’ and they ‘do not anticipate the data being shared or made public.’ PowerSchool has confirmed that the issue is contained and that their systems are operating as normal.

West Chicago Community High School values your trust and partnership. With that said, we will be sure to update you in a timely manner should we receive additional information from PowerSchool.

Thank you for your understanding and support as we work to maintain the security and integrity of our systems.

Sincerely,

Dr. Kurt Johansen”

It is likely that the individuals responsible were motivated by financial gain or blackmail.

“The ‘why’ can vary wildly depending on the target and the purpose. In this particular case, the ‘why’ was for financial gain for the threat-actors, or blackmail. PowerSchool was willing to pay large sums of money to prevent the release of the data publicly. The reason that it all occurred in the first place was because the security measures of a company that PowerSchool contracts for support weren’t up to standards, which allowed access to almost every PowerSchool server from just a single compromised user account,” Director of Technology at WCCJS Bob Schmidt said.

However, there is reassurance that both West Chicago and PowerSchool are taking extensive measures to prevent further incidents like this one.

“For PowerSchool, many steps have been taken to prevent further issues,” Schmidt said.

According to Schmidt, some of the steps PowerSchool has implemented since the breach include:

Support engineers are now required to use multi-factor authentication.
Support engineers must access the support portal through a VPN, also protected via MFA.
The maintenance access accounts used to export the data have been disabled on all PowerSchool servers. These accounts will only be activated if support from PowerSchool is needed.
All support engineer account passwords were forced to be reset.
PowerSchool will regularly conduct audits and assessments to identify and address potential security weaknesses.
PowerSchool is minimizing the storage of sensitive information and utilizing encryption to protect stored data from unauthorized access.

Schmidt also emphasized that cybersecurity is a top priority at WCCHS, with ongoing efforts such as password management, multi-factor authentication, system updates, and staff training to mitigate risks.

Although the breach affected many PowerSchool users, most students were unaware of the situation because emails were only sent to those over the age of 18. For younger students, their parents were contacted instead.

Some students who did receive the email did not take immediate action.

“I saw the email during school, so I kind of disregarded it quickly,” said senior Isabella Diep.

However, Diep expressed concerns about the breach.

“I feel a little concerned for my personal information that I give to the school,” she said.

She believes the school should take additional steps to make students aware of cybersecurity threats and how to respond to them.

“I think they should definitely put it in the announcements because we see that like every day, and I think that they should send a letter home as well,” Diep said.

English teacher Mrs. Ward addressed concerns about the breach from both a teacher’s and a parent’s perspective.

“One of my biggest concerns was, if you’ve never had a previous experience, most people would look at that email and say, ‘Why do I care if someone knows what my son’s/daughter’s grades are?’ And I think the perception is a real problem there. I don’t think we’re looking underneath the cybersecurity hack and what the dangers are. When someone hacks your school data, they’re getting way more than just grades or attendance records,” Ward said.

About the Contributors

Ana Hurtado, Editor-in-Training

Sophomore Ana Hurtado is very involved within school. She not only is managing for the boys’ soccer team this fall, but will be playing Varsity soccer at WCCHS in the spring. As a lover of English, she reads in her spare time, but Ana’s true passion lies within writing. This led her to joining the Wildcat Chronicle this school year for the first time, where she has already gained more knowledge and exposure in the writing field. This Editor-in-Training is a three-time Best of SNO winner, which is an incredibly feat for someone new to the staff. In the future, Ana wishes to go into English education – if not, then sociology for social work – but whatever path she takes, she knows it will lead her to having a fulfilling life.

Ruby Guerrero, Editor-in-Training

Ruby Guerrero Lopez is a sophomore at West Chicago Community High School, and is new to journalism. Occasionally, you can find her out walking her dog, but you will always see her writing, reading, or drawing; she is a huge Harry Potter and Marvel fan and can talk your ear off about either (and frequently does). She is hoping to write some stories for the Wildcat Chronicle this year, but ultimately wants to pursue a job in the STEM field as an engineer or peds worker, which would obviously involve a bachelor’s, master’s, and doctorate.

Comments (0)

Any comment made will go through the Wildcat Chronicle to be approved. Obscene, suggestive, vulgar, profane, threatening, disrespectful, defamatory language will not be published. Attacks made towards race, gender, sexual orientation, or creed will not be tolerated. Comments should be relevant to the article or the writer; please respect the author and the other commenters. Comments must be 300 words or less. All comments are the property of the Wildcat Chronicle after being submitted. In order to submit a comment, a valid e-mail address must be used, and the email must be verified. Impersonating another person’s name is prohibited.

Share your thoughts...

All Wildcat Chronicle Picks Reader Picks Sort: Newest