ICSD families and staff,

 We are writing to update you regarding the recent cybersecurity incident involving PowerSchool, the software vendor that provides our Student Information System (SIS). 

Today, January 29, 2025, PowerSchool initiated the process of notifying individuals whose information was determined to be involved. 

PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services to current and former students and educators that had information exfiltrated from PowerSchool SIS. PowerSchool is doing this regardless of whether an individual’s Social Security Number was exfiltrated. In the coming weeks, Experian (on behalf of PowerSchool) will be distributing direct email notifications to involved individuals (or their parent/guardian, as applicable) for whom PowerSchool has sufficient contact information. 

Additionally, PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with these offerings and the incident. All the information regarding the activation of and access to these services will be included in the email sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate the offering from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. 

The attached “General Information About Identity Theft Protection” from PowerSchool provides further information about what steps you can take.

Protecting our students and teachers remains our top priority. Thank you again for all of your support and understanding during this time. 

Sincerely,

Lance Hatch
Iron County School District Superintendent

Letter sent to families and staff on Jan. 8

ICSD families and staff,

 Today, our district, along with thousands of districts across the globe, was informed of a cybersecurity breach involving our Student Information System (SIS) vendor PowerSchool. We take this news seriously as it pertains to the security of private information of our students, parents and employees. 

 The private information accessed could include names, addresses, phone numbers, email addresses and birth dates. Social security numbers are NOT kept in PowerSchool by Iron County School District.

As this cyberattack was directed at the PowerSchool platform, there is nothing the district could have done differently to avoid the access to data. However, we will continue to work with PowerSchool and other vendors to ensure the security of personal information.

 We anticipate PowerSchool will be providing us with resources and additional information by tomorrow and we will share the relevant information as it becomes available to us. 

According to PowerSchool, someone used a compromised credential to access data stored in their SIS. When PowerSchool became aware of the incident, they notified law enforcement, locked down the system and engaged the services of CyberSteward, a professional advisor with experience in negotiating with threat actors. PowerSchool indicates that they have received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”

Thank you for understanding as we continue to address this matter.

• Name

• School and State ID

• Grade level

• Birthdate

• Lunch Status (Free or reduced)

• Lunch balance

• Medical alerts (not medical records)

• Emergency contact information (including name, email, phone number and address)

• Address

• Email

• Name

• Contact information (includes email addresses and phone numbers)

PowerSchool or Experian will send information to families about signing up for two years of credit monitoring. Learn more at http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

PowerSchool issued this public statement and community-facing FAQs on Jan. 13,

PowerSchool has more FAQs and instructions for activating Experian at http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/