A data breach at PowerSchool, the student information system provider used by San Diego Unified School District (SDUSD), has exposed personal data of students and teachers. The breach was discovered on December 28, 2024, after attackers accessed PowerSchool’s systems through their PowerSource customer support platform.
PowerSchool is a cloud-based software provider serving over 60 million students and 18,000 customers worldwide, including platforms for enrollment, attendance, staff management, learning systems, analytics, and finance. The company also operates Naviance, a platform used by many K-12 districts for college and career planning.
According to PowerSchool’s disclosure, unauthorized actors used compromised credentials to access the platform’s “export data manager” tool, which allowed them to extract entire database tables containing student and teacher information. This maintenance access tool, typically used by PowerSchool engineers for support and troubleshooting, was exploited to export both student and teacher databases to CSV files.
What Data Was Exposed
For San Diego families, the stolen database tables may contain:
- Names and addresses
- Social Security numbers
- Academic records and grades
- Medical information
- Student ID numbers
- Parent/guardian information
- Bus route information
- Administrative notes and alerts
- Password data
Impact on Student Privacy and Security
The exposure of grade school children’s medical and personal information presents unique long-term risks. Unlike adult data breaches, children may not discover their information has been misused for years or even decades.
Medical information can be particularly sensitive, as it may contain details about disabilities, health conditions, medications, or family medical history that could be used for discrimination or exploitation. The combination of medical data with academic records, Social Security numbers, and family details creates a complete profile of vulnerable minors.
School records often contain additional sensitive information such as behavioral assessments, family financial data, custody arrangements, and documentation about special education services. This level of detail about minors, especially when combined with their current addresses and daily routines like bus routes, presents serious safety and privacy concerns that could affect students throughout their academic careers and into adulthood.
Data Breach and Theft
The initial data theft occurred on December 22, 2024, from an IP address (91.218.50.11) traced to a hosting company in Ukraine. The unauthorized access can be traced through PowerSchool’s audit logs, where a maintenance user identified as “200A0” executed the data exports.
PowerSchool paid an undisclosed ransom to in an attempt to prevent further release of the stolen information. While the company claims to have received video evidence of data deletion, there is no guarantee the data won’t be misused or appear elsewhere. This incident represents a shift in cyber attack tactics, focusing on data theft and extortion rather than traditional ransomware encryption.
Current Response Measures
In response to the breach, PowerSchool claims it has implemented additional security measures and is offering credit monitoring services for affected adults and identity protection services for impacted minors. While a bit late, the company states that it has also rotated passwords for all PowerSource customer support portal accounts and implemented stricter password policies. The incident was supposedly isolated to the PowerSource portal, with PowerSchool stating there is no evidence of malware or continued unauthorized activity in their environment.
CrowdStrike has been hired to investigate the incident, with a report expected sometime in late January 2025. The company states it is monitoring the dark web for any appearance of the stolen data.
Risks for Families
This breach creates several risks:
- Identity thieves specifically target children’s data due to clean credit histories
- Stolen information could enable targeted scams
- Exposure of medical and academic records
- Family data could facilitate social engineering attacks
Steps for Parents
If you received a breach notification from San Diego Unified School District:
- Review the specific data elements exposed in your case
- Consider placing a credit freeze on your child’s credit file
- Monitor accounts and medical records for suspicious activity
- Watch for unusual school-related communications
- Review your rights under California privacy laws
Law enforcement and relevant data protection regulators have been informed of the breach.
For San Diego parents who received notification letters: Contact us to discuss legal options regarding this data breach and your family’s privacy rights.
