PowerSchool Notifies Applicable Attorneys General Offices Regarding Cybersecurity Incident  

As we have communicated previously, on December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of personal information from certain PowerSchool Student Information System (SIS) environments. Related to that incident, today, January 27, 2025, PowerSchool began the process of filing regulatory notifications with Attorneys General Offices across applicable U.S. jurisdictions on behalf of impacted customers who have not opted-out of our offer to do so. PowerSchool has also started the process of notifying Canadian regulators. We will provide a separate update to our international customers later this week.  

Some U.S. customers may also have notification requirements with their state’s Department of Education where required. Since many customers have already notified and are in close contact with their state’s Department of Education, PowerSchool will defer to those customers on making these notifications.   

We are providing this update for broad awareness, and no further action is required from our customers at this time. In the coming days, PowerSchool will begin to provide notification of the cybersecurity incident to current and former students (or their parents / guardians as applicable) and educators whose information was determined to be involved. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool. 

We will be in contact directly with customers again soon with more information. Thank you to our customers, and their broader communities, for their ongoing patience and partnership. 

Status Update

Thank you for your continued patience as we navigate this cybersecurity incident. As we reported last week, PowerSchool will be offering complimentary identity protection services as applicable for all students and educators whose information was involved, plus two years of credit monitoring for adults, regardless of whether an individual’s Social Security Number or Social Insurance Number was exfiltrated. As we move forward with the process of notifying students and educators whose information was involved, as well as regulators on our customer’s behalf, we will provide another update in the next few days.

In addition to regularly updating the various FAQs on this web page, we want to address a recurring question: what data was involved, and for how many schools and individuals? We cannot confirm precise numbers because our data review process is still ongoing. Further, it is difficult to make broad statements about what data was involved because the answer varies by individual customer and is dependent on customer choice  or district policies and requirements. We continue to prioritize transparent and direct communication with our customers and our shared communities, and remain committed to providing accurate and transparent updates as more information becomes available. We want to again extend our gratitude to our customers and the students, families and educators we serve. We are dedicated to using this incident as an opportunity to grow stronger and build greater resilience as a company.

What Happened

On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool Student Information System (SIS) information through one of our community-focused customer portals, PowerSource.

PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers. We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

Steps We’re Taking in Response

As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as they become available.

Who Was Affected

On January 7, 2025, we proactively communicated this incident to the PowerSchool SIS customers affected by this incident, and we continue to support them through next steps. Districts and schools that do not utilize PowerSchool SIS were not affected. If you are a parent or guardian who wants to know if your school was involved, please reach out to your school directly.

Moving Forward

We take our responsibility to protect student, family, and educator data privacy extremely seriously, and we are committed to providing customers, families, and educators with resources and support as we work through this together.

We would like to extend a sincere note of gratitude to our customer, educator and family communities for their continued patience and cooperation. We apologize for any concern this incident may cause you and are working hard to provide you timely updates.

General FAQ

What happened?

On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.  We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

When will PowerSchool provide next steps to schools, educators and families?

We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as they become available.

What steps are you taking to prevent this from happening again?

PowerSchool is committed to protecting the security and integrity of our applications and regularly reviews and enhances it security policies and practices. We continue to prioritize and invest significantly in our cybersecurity defenses.

What is the timeline for providing notification information to schools, educators and families?

As PowerSchool is working to complete our investigation, we are also taking steps to set up a system – in coordination with our customers – to be able to provide supportive resources (including credit monitoring or identity protection services if applicable) for individuals whose data may have been involved. As we have more definitive information on our timeline, we will share that accordingly.

FAQ for Families

Who is PowerSchool?

PowerSchool provides cloud-based software to K-12 schools. This security incident affected some of the districts using the PowerSchool Student Information System product. We have no evidence that any other PowerSchool products were affected as a result of this incident.

Am I required to reach out to my school or take any steps as a parent or guardian at this time?

No. If you are a parent or guardian of a student under the age of 18 and your student’s information was exfiltrated from their district’s PowerSchool SIS, you may receive a notification email from PowerSchool. Additionally, we have posted on our website and distributed a media release informing individuals of the incident and resources we have offered. 

Was any student or family data involved in this incident?

For involved current and former students, parents / guardians of students, and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number (SSN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base. The majority of individuals did not have their medical alert information or Social Security Number involved.

Was credit card or banking information involved in this incident?

We have no evidence that credit card or banking information was involved.

Is PowerSchool offering credit monitoring?

We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as they become available.

Would PowerSchool reach out to me directly to discuss this incident, including requesting my personal information?

PowerSchool is committed to keeping our community informed and will be providing further resources as they become available. However, please remain vigilant as PowerSchool will never contact you by phone or email to request your personal or account information.

FAQ for Educators

Was any educator data involved in this incident?

Across our customer base, we have determined that for a portion of individuals, some personally identifiable information (PII), such as social security numbers (SSN) and medical information, was involved. We are working with urgency to complete our investigation and identify the individuals whose data may have been involved.

Was credit card or banking information involved in this incident?

We have no evidence that credit card or banking information was involved.

Is PowerSchool offering credit monitoring?

We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as they become available.

How many districts and schools were involved?

Because of our ongoing investigation, we are not sharing specifics around the number of districts and schools we believe were involved. We are in communication with those customers directly and are supporting them through next steps.

FAQ for Customers

Was data from my school district involved?

We have proactively contacted the SIS customers that we believe may have had data involved. If you are not a SIS customer, you were not affected.

Should we take any action to secure our own systems?

We do not believe there is an ongoing risk to our systems. We have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.

Were other PowerSchool products affected?

Other than PowerSchool SIS, we have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

Identity and Credit Monitoring Update for United States Customers

Since our last update, we have initiated the process of notifying involved individuals in the U.S. about the resources now available to them. As part of this process, we have posted a notice to our website and published a press release. Credit monitoring and identity protection services are now activated and available.

In the coming weeks, Experian (on behalf of PowerSchool) will also be distributing direct email notifications to involved individuals for whom we have sufficient contact information. This does not apply to customers who have opted out of this process. The email notice will include further information about the information of theirs involved and the resources PowerSchool is offering. Additionally, we have coordinated with Experian to set up a toll-free call center for families and educators in case they have questions about these offerings: 833-918-9464

For individuals located in Canada, we will be reaching out next week with further information on the resources made available to you.   

To our customers and the families and educators that we serve, please know that we sincerely appreciate your continued patience throughout this process. We remain committed to supporting you.  

General FAQ 

What is the timeline for providing notification information to schools, educators and families? 

PowerSchool initiated notifying our customers on January 7, as well as individuals on January 29 by posting a notice to our website, and publishing a press release. In the coming weeks, direct email notifications will go out to involved students and educators for whom we have sufficient contact information.   

FAQ for Families

Why is Experian notifying me instead of PowerSchool?  

PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services on behalf of PowerSchool and our customers who opted in to these services. Additionally, PowerSchool worked with Experian to set up a dedicated, toll-free call center to answer any questions regarding the incident that involved individuals may have. 

How do I sign up for credit monitoring? 

For details on how to sign up for the resources being offered and how to reach the dedicated call center, you will be receiving an e-mail notification directly from PowerSchool in the coming days, or you can visit their website to learn how to activate the offerings from Experian, linked here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

What if I don’t get an email?  

Involved individuals may receive an email communication in the coming weeks. If you do not receive an email, you can find more information linked here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/ This notification provides details about the support resources we are offering, including complimentary credit monitoring and identity protection services if you do not receive a direct email. 

What information of mine was involved?  

For involved students and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number (SSN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base.  Please note regardless of whether an individual’s Social Security Number was exfiltrated, we are offering two years of complimentary identity protection services for all current and former students, parents / guardians of students, and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services for all adult students, and educators whose information was determined to be involved.  

FAQ for Educators

Why is Experian notifying me instead of PowerSchool?  

PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services on behalf of PowerSchool and our customers who opted in to these services. Additionally, PowerSchool worked with Experian to set up a dedicated, toll-free call center to answer any questions regarding the incident that involved individuals may have. 

How do I sign up for credit monitoring? 

For details on how to sign up for the resources being offered and how to reach the dedicated call center, you will be receiving an e-mail notification directly from PowerSchool in the coming days, or you can visit their website to learn how to activate the offerings from Experian, linked here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. 

What if I don’t get an email?  

Involved individuals may receive an email communication in the coming weeks. If you do not receive an email, you can find more information linked here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. This notification provides details about the support resources we are offering, including complimentary credit monitoring and identity protection services if you do not receive a direct email. 

FAQ for Customers

How will students and educators be notified if their information was involved? 

We have initiated the process of notifying involved individuals. In the coming weeks following Jan. 29, direct email notifications will go out, and in the meantime, we have distributed a media release and posted a notice to our website. 

Updated Information for U.S. Families, Educators and Customers

What Happened

On December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of personal information from certain PowerSchool Student Information System (SIS) environments through one of our community-focused customer support portals, PowerSource. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers. We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

Identity Protection & Credit Monitoring Services

PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.
PowerSchool has engaged Experian, a trusted credit reporting agency, to provide these services. Starting in the next few weeks, PowerSchool will coordinate with Experian to provide notice on behalf of our customers to students (or their parents/guardians if the student is under 18) and educators whose information was exfiltrated from their PowerSchool SIS.

Student and Educator Data Involved

For involved students and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number (SSN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base.

Who Was Affected

On January 7, 2025, we proactively communicated this incident to the PowerSchool SIS customers affected by this incident. On January 17, 2025, PowerSchool shared next steps with those same SIS customers. Districts and schools that do not utilize PowerSchool SIS were not affected.

Steps We Are Taking in Response & Moving Forward

As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. Since then, over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community. We take our responsibility to protect student, family, and educator data privacy extremely seriously, and we are committed to providing customers, families, and educators with resources and support as we work through this together.

General FAQ

What happened?

On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.  We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

When will PowerSchool provide next steps to schools, educators and families?

We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as they become available.

What steps are you taking to prevent this from happening again?

PowerSchool is committed to protecting the security and integrity of our applications and regularly reviews and enhances it security policies and practices. We continue to prioritize and invest significantly in our cybersecurity defenses.

What is the timeline for providing notification information to schools, educators and families?

As PowerSchool is working to complete our investigation, we are also taking steps to set up a system – in coordination with our customers – to be able to provide supportive resources (including credit monitoring or identity protection services if applicable) for individuals whose data may have been involved. As we have more definitive information on our timeline, we will share that accordingly.

FAQ for Families

Who is PowerSchool?

PowerSchool provides cloud-based software to K-12 schools. This security incident affected some of the districts using the PowerSchool Student Information System product. We have no evidence that any other PowerSchool products were affected as a result of this incident.

Am I required to reach out to my school or take any steps as a parent or guardian at this time?

No. If you are a parent or guardian of a student under the age of 18 and your student’s information was exfiltrated from their district’s PowerSchool SIS, you may receive a notification email from PowerSchool. Additionally, we have posted on our website and distributed a media release informing individuals of the incident and resources we have offered. 

Was any student or family data involved in this incident?

For involved current and former students, parents / guardians of students, and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number (SSN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base. The majority of individuals did not have their medical alert information or Social Security Number involved. 

Was credit card or banking information involved in this incident?

We have no evidence that credit card or banking information was involved.

Will I get identity protection or credit monitoring?

PowerSchool is offering complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.

• Identity Protection: PowerSchool will be offering two years of complimentary identity protection services, which will be provided by Experian, for all students and educators whose information was involved.
• Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services, which will be provided by TransUnion, for all students and educators who have reached the age of majority whose information was involved.

Credit monitoring agencies do not offer credit monitoring services for individuals under the age of majority. If a parent / guardian enrolls an individual under the age of majority in the offered identity protection services, the individual, upon reaching the age of majority, will have the opportunity to enroll in credit monitoring services for the duration of the two-year coverage period.

Would PowerSchool reach out to me directly to request my personal information?

PowerSchool is committed to keeping our community informed and will be providing further resources as they become available. However, please remain vigilant as PowerSchool will never contact you by phone or email to request your personal or account information.

Why is Experian notifying me instead of PowerSchool?  

PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services on behalf of PowerSchool and our customers who opted in to these services. Additionally, PowerSchool worked with Experian to set up a dedicated, toll-free call center to answer any questions regarding the incident that involved individuals may have. 

How do I sign up for credit monitoring? 

For details on how to sign up for the resources being offered and how to reach the dedicated call center, you will be receiving an e-mail notification directly from PowerSchool in the coming days, or you can visit their website to learn how to activate the offerings from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

What if I don’t get an email?  

Involved individuals may receive an email communication in the coming weeks. If you do not receive an email, you can find more information linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. This notification provides details about the support resources we are offering, including complimentary credit monitoring and identity protection services if you do not receive a direct email. 

What information of mine was involved?  

For involved students and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number (SSN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base.  

Please note regardless of whether an individual’s Social Security Number was exfiltrated, we are offering two years of complimentary identity protection services for all current and former students, parents / guardians of students, and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services for all adult students, and educators whose information was determined to be involved.  

FAQ for Educators

Was any educator data involved in this incident?

For involved students and educators, the types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Insurance Number (SIN), and other related information. Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base. The notice received by each individual will include a description of the categories of personal information that were exfiltrated and the identity protection and credit monitoring services offered (as applicable).

Was credit card or banking information involved in this incident?

We have no evidence that credit card or banking information was involved.

Is PowerSchool offering identity protection and credit monitoring services?

PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all students who have reached the age of majority and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.

How many districts and schools were involved?

We are not sharing specifics around the number of districts and schools we believe were involved. We are in communication with those customers directly and are supporting them through next steps.

Why is Experian notifying me instead of PowerSchool?  

PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services on behalf of PowerSchool and our customers who opted in to these services. Additionally, PowerSchool worked with Experian to set up a dedicated, toll-free call center to answer any questions regarding the incident that involved individuals may have. 

How do I sign up for credit monitoring? 

For details on how to sign up for the resources being offered and how to reach the dedicated call center, you will be receiving an e-mail notification directly from PowerSchool in the coming days, or you can visit their website to learn how to activate the offerings from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. 

What if I don’t get an email?  

Involved individuals may receive an email communication in the coming weeks. If you do not receive an email, you can find more information linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/. This notification provides details about the support resources we are offering, including complimentary credit monitoring and identity protection services if you do not receive a direct email. 

FAQ for Customers

Was data from my school district involved?

We have proactively contacted the SIS customers that we believe were affected. If you are not a SIS customer, you were not affected.

Should we take any action to secure our own systems?

We do not believe there is an ongoing risk to our systems. We have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.

Were other PowerSchool products affected?

Other than PowerSchool SIS, we have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.

How will students and educators be notified if their information was involved?

We have initiated the process of notifying involved individuals. In the coming weeks following Jan. 29, direct email notifications will go out, and in the meantime, we have distributed a media release and posted a notice to our website.