When it comes to school, security and safety must be a priority for the well-being of students, staff, and the community. On March 6, PowerSchool users received a notice about a cybersecurity “incident” involving the unauthorized exfiltration of personal information. This included one or more of the following: name, date of birth, contact information, Social Security Number, limited medical alert information, and more.
Any staff member or student whose information was compromised in the breach has been offered two years of complimentary identity protection and credit monitoring services.
The following email was written by Superintendent Kurt Johansen:
“Dear West Chicago Community High School,
We are writing to inform you of a recent incident involving PowerSchool, a vendor that provides important services to our school district. On December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain data through their customer support portal, PowerSource. Once aware, PowerSchool immediately partnered with CyberSteward, a cybersecurity incident response company. Through their work with CyberSteward, PowerSchool informed us that they have ‘a high degree of confidence’ that the compromised data has been deleted and is no longer accessible.
PowerSchool notified West Chicago Community High School on January 7 informing us that ‘your product was not impacted’ by the cybersecurity incident. Unfortunately, earlier today we became aware that the individuals who breached PowerSchool were able to access limited student and staff information. Given the information received, we have no indication that data such as Social Security numbers, birth certificates, medical records, or financial information was compromised.
PowerSchool has informed us that they ‘have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse,’ and they ‘do not anticipate the data being shared or made public.’ PowerSchool has confirmed that the issue is contained and that their systems are operating as normal.
West Chicago Community High School values your trust and partnership. With that said, we will be sure to update you in a timely manner should we receive additional information from PowerSchool.
Thank you for your understanding and support as we work to maintain the security and integrity of our systems.
Sincerely,
Dr. Kurt Johansen”
It is likely that the individuals responsible were motivated by financial gain or blackmail.
“The ‘why’ can vary wildly depending on the target and the purpose. In this particular case, the ‘why’ was for financial gain for the threat-actors, or blackmail. PowerSchool was willing to pay large sums of money to prevent the release of the data publicly. The reason that it all occurred in the first place was because the security measures of a company that PowerSchool contracts for support weren’t up to standards, which allowed access to almost every PowerSchool server from just a single compromised user account,” Director of Technology at WCCJS Bob Schmidt said.
However, there is reassurance that both West Chicago and PowerSchool are taking extensive measures to prevent further incidents like this one.
“For PowerSchool, many steps have been taken to prevent further issues,” Schmidt said.
According to Schmidt, some of the steps PowerSchool has implemented since the breach include:
- Support engineers are now required to use multi-factor authentication.
- Support engineers must access the support portal through a VPN, also protected via MFA.
- The maintenance access accounts used to export the data have been disabled on all PowerSchool servers. These accounts will only be activated if support from PowerSchool is needed.
- All support engineer account passwords were forced to be reset.
- PowerSchool will regularly conduct audits and assessments to identify and address potential security weaknesses.
- PowerSchool is minimizing the storage of sensitive information and utilizing encryption to protect stored data from unauthorized access.
Schmidt also emphasized that cybersecurity is a top priority at WCCHS, with ongoing efforts such as password management, multi-factor authentication, system updates, and staff training to mitigate risks.
Although the breach affected many PowerSchool users, most students were unaware of the situation because emails were only sent to those over the age of 18. For younger students, their parents were contacted instead.
Some students who did receive the email did not take immediate action.
“I saw the email during school, so I kind of disregarded it quickly,” said senior Isabella Diep.
However, Diep expressed concerns about the breach.
“I feel a little concerned for my personal information that I give to the school,” she said.
She believes the school should take additional steps to make students aware of cybersecurity threats and how to respond to them.
“I think they should definitely put it in the announcements because we see that like every day, and I think that they should send a letter home as well,” Diep said.
English teacher Mrs. Ward addressed concerns about the breach from both a teacher’s and a parent’s perspective.
“One of my biggest concerns was, if you’ve never had a previous experience, most people would look at that email and say, ‘Why do I care if someone knows what my son’s/daughter’s grades are?’ And I think the perception is a real problem there. I don’t think we’re looking underneath the cybersecurity hack and what the dangers are. When someone hacks your school data, they’re getting way more than just grades or attendance records,” Ward said.