Return to Headlines

PowerSchool Impacted by Worldwide Security Incident

Dear CJ Famiies,

 

On Tuesday, January 7, 2025, PowerSchool notified us that Carl Junction Schools was among PowerSchool’s many worldwide clients whose data may have been accessed during a cybersecurity incident in late December. PowerSchool became aware of the breach on Dec. 28, 2024. This breach is on PowerSchool’s end and has not affected any of our other systems in the district.

 

In light of this disclosure, we researched the access to our system and found that Powerschool’s compromised account did access our system on December 21, 2024. We are awaiting more information, but we want our community to be aware of the ongoing situation being investigated.

 

What happened?

According to PowerSchool, someone used a compromised credential to access data stored in many PowerSchool clients' Student Information System (SIS). When PowerSchool became aware of the incident, they notified law enforcement, locked down the system, and engaged the services of CyberSteward, a professional advisor with experience in negotiating with threat actors. PowerSchool states they have received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.” Historical student and staff information was not included in this breach.

 

What data was accessed?

Our IT team has investigated access logs during the suspected time. They found that Personally Identifiable Information (PII) for staff and students was accessed. At this time, we believe the following current student and staff data was accessed: 

  • Directory information, including student and staff names and addresses (this information is always available, so it is not considered to be PII)

  • Student Information Alerts for medical and custody issues
  • Student’s parent/guardian names

  • Student grade point average, ethnicity, and lunch status

 

No passwords appear to have been accessed, so no student or staff login credentials were compromised. With the help of PowerSchool support, we will continue to narrow down the impact of the cybersecurity incident. We will work with PowerSchool to ensure that any impacted individuals are notified, and appropriate next steps are taken.

 

What happens next?

PowerSchool has stated, “While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.” PowerSchool is also continuing to work with the FBI to monitor the situation.

 

While PowerSchool is responsible for this incident and its impact, and it is not something Carl Junction Schools could have prevented, out of an abundance of caution, Carl Junction Schools has notified its cybersecurity contractor, Adira, to direct our further response. CrowdStrike is also working directly with PowerSchool to investigate the incident and anticipates a full report will be available around January 17, 2025. We are also in consultation with district legal counsel and cybersecurity insurance provider MUSIC, as directed by District Policy.

 

Who can I contact with questions and concerns?

We anticipate PowerSchool will provide impacted individuals with resources and additional information, which we will share when they are made available to us. We will also post updates about this situation on our website.

 

Carl Junction Schools is committed to protecting our student, staff, and family data and will continue communicating transparently about this event. Any updates about this incident will be shared as our understanding progresses.

 

Sincerely,

Dr. Phillip Cook

Superintendent of Schools