PowerSchool cybersecurity incident

Letter sent to families and staff on June 8

ICSD families and staff,

 Today, our district, along with thousands of districts across the globe, was informed of a cybersecurity breach involving our Student Information System (SIS) vendor PowerSchool. We take this news seriously as it pertains to the security of private information of our students, parents and employees. 

 The private information accessed could include names, addresses, phone numbers, email addresses and birth dates. Social security numbers are NOT kept in PowerSchool by Iron County School District.

As this cyberattack was directed at the PowerSchool platform, there is nothing the district could have done differently to avoid the access to data. However, we will continue to work with PowerSchool and other vendors to ensure the security of personal information.

 We anticipate PowerSchool will be providing us with resources and additional information by tomorrow and we will share the relevant information as it becomes available to us. 

According to PowerSchool, someone used a compromised credential to access data stored in their SIS. When PowerSchool became aware of the incident, they notified law enforcement, locked down the system and engaged the services of CyberSteward, a professional advisor with experience in negotiating with threat actors. PowerSchool indicates that they have received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”

Thank you for understanding as we continue to address this matter.

What information was accessed?

Social Security numbers are NOT retained in PowerSchool

Students

  • Name

  • School and State ID

  • Grade level

  • Birthdate

  • Lunch Status (Free or reduced)

  • Lunch balance

  • Medical alerts (not medical records)

  • Emergency contact information (including name, email, phone number and address)

  • Address

  • Email

Staff

Social Security numbers are NOT retained in PowerSchool. Birth years for employees are not retained in PowerSchool

  • Name

  • Contact information (includes email addresses and phone numbers)

Next steps

PowerSchool is working with cybersecurity experts from CrowdStrike to investigate further. We expect PowerSchool to release more information over the next two weeks and we will provide updates as we receive additional information.

PowerSchool indicated they will be providing credit/identity monitoring services to affected individuals.