PowerSchool Cybersecurity Updates

Newest Update as of March 10th, 2025

Dear Valued Customer,

On January 7th, we shared that PowerSchool was the target of a cybersecurity incident that resulted in the exfiltration of data from the Students and Teachers tables for some PowerSchool SIS customers by an unauthorized user. We immediately took corrective measures necessary to contain the incident, began notifying relevant regulatory agencies on your behalf (where applicable) as well as students and educators whose data was involved, and provided credit and identity monitoring services to the individuals students and educators.

Today we are sharing closing updates on:

1. The final CrowdStrike Incident Report, which did not identify any new or concerning findings beyond what we have shared;
2. Our ongoing engagement with regulators in the United States and Canada;
3. The identity monitoring (and credit monitoring, as applicable) that PowerSchool continues to make available to all individuals involved, and
4. How PowerSchool has and will continue to strengthen our cybersecurity defenses as we connect the education community with the shared goal of helping students thrive through personalized education.

CrowdStrike Incident Report

Immediately after PowerSchool became aware of the incident, CrowdStrike was engaged to conduct an investigation into the incident. We made available a CrowdStrike interim fact sheet in mid-January, and with the investigation complete, are now sharing the final incident report.

CrowdStrike did not identify any new or concerning findings beyond what we already shared in the interim fact sheet. The report confirms:

• The Threat Actor accessed PowerSource, a community-focused customer support portal, using a single compromised credential.
• The Threat Actor’s activities were limited to exfiltration of select PowerSchool SIS instances of Students and Teachers tables.
• CrowdStrike’s Recon+ Intelligence service has not identified any evidence of this exfiltrated information available for sale or download.
• CrowdStrike found no evidence of system-layer access or malware associated with this incident.
• CrowdStrike found no other PowerSchool products were compromised.
• While the PowerSource environment experienced unauthorized activity prior to December, PowerSchool believes that the data exfiltration occurred in late December.

In addition to sharing here, we are posting CrowdStrike’s final incident report on our website and sharing it with regulators in the United States and Canada where appropriate. We encourage you to share this report with any stakeholders that you deem appropriate.

Regulator Notifications – United States & Canada

As we shared on January 27th and February 4th, PowerSchool filed notifications with applicable regulators across U.S. and Canadian jurisdictions (respectively) on behalf of impacted customers who did not opt out of our offer to do so. Our dialogue with regulators is ongoing. We plan to share the final CrowdStrike incident report and additional relevant details from our on-premise customers who opted to share their information with us.

Identity & Credit Monitoring Notifications

On January 17th, we announced that PowerSchool secured two years of complimentary identity protection for all students and educators involved where such services are available through Experian, regardless of whether an individual’s social security number was exfiltrated. We also made available two years of credit monitoring for involved students and educators in the United States and Canada who are eligible for credit monitoring services. To further support your communities with these resources, please note:

• Experian, our identity protection services provider, has sent email notifications on PowerSchool’s behalf (except those customer who opted out) to both current and former families and educators whose information was involved, and for whom we have available contact information. These notifications will continue as we process on-premise customer information.
• These individual notices are sent from an Experian company, CSIdentity whose domain includes @csid. Please contact your CSM or Support team leader if you have any questions. Neither PowerSchool nor Experian will ever ask you for personal information via email.
• You can share information regarding the available monitoring services to your communities using the form letters provided to you by PowerSchool or the information provided on PowerSchool’s website.
• Information on how to enroll in identity and credit monitoring is posted on PowerSchool’s website (for the U.S. and Canada). We encourage you and your communities to take advantage of the monitoring being offered.
• PowerSchool has extended the sign-up deadline for Experian’s services from May 31, 2025, to July 31, 2025.

Security Improvements and Hardening Measures Introduced

As part of our commitment to continuously strengthen security across the K-12 ecosystem, PowerSchool has taken significant steps to enhance our cybersecurity posture. To-date we have:

• Required that 100% of PowerSchool employees and contractors utilize SSO, MFA, VPN, and VDI for any hardware or resource that accesses customer data – including PowerSource;
• Invested in physical security measures including fingerprint and facial recognition authentication for all PowerSchool employees and contractors;
• Implemented rigorous technical audits of all access to customer data to validate and reinforce our security framework, including shortening the time-windows for authorized maintenance to reduce the risk of improper access; and,
• Limited the number of SIS instances a single account can log into during a 24-hour period.

In addition, we have taken proactive measures to reinforce our unwavering commitment to safeguarding student and educator data, including:

• Establishing a new Customer Security Advisory Council, which will provide a forum for in-depth security reviews, industry collaboration, and best practice sharing.
• Developing a security rubric to help districts assess not only PowerSchool’s security commitment but also their own infrastructure and third-party systems.
• Continuing our long-standing security protocols, including adherence to global standards (such as ISO 27100), product-level governance (including SOC II audits), and monitoring via our Security Operations Center, which currently maintains 24x7x365 coverage against cybersecurity threats. You can learn more about our security process and policies here.

We hope this update can begin to bring closure to this incident; please reach out to your CSM or Support contact with any additional questions or concerns. We are grateful for your partnership over the last several weeks and look forward to all that we can accomplish as we move forward—together.

Sincerely,

Hardeep Gulati

Chief Executive Officer, PowerSchool

________________________________________________________________

February 20th, 2025

Dear PowerSchool User or Parent / Guardian of User:

You are receiving this notice on behalf of Thrive Elementary from PowerSchool. As you may know, PowerSchool provides software and services to your current or former school or the current or former school of a person to whom you are a parent or guardian. We are writing to share with you some important information regarding a recent cybersecurity incident involving personal information belonging to the named individual.

What Happened?

On December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of certain personal information from PowerSchool Student Information System (SIS) environments through one of our community-focused customer support portals, PowerSource.

What Information Was Involved?

Due to differences in customer requirements, the types of information involved in this incident included one or more of the following, which varied by person: name, contact information, date of birth, Social Insurance Number, limited medical alert information, and other related information. At this time, we do not have evidence that the named individual’s Social Insurance Number was involved. At this time, we do not have evidence that limited medical alert information for the named individual was involved.

What Are We Doing?

PowerSchool is offering two years of complimentary identity protection services, provided by Experian, to students and educators whose information was involved. For involved students and educators who have reached the age of majority, in addition to Experian’s identity protection services, PowerSchool is also offering two years of complimentary credit monitoring services provided by TransUnion.

Offer: Experian Identity Protection Services – Available to All Involved Students and Educators

• Enrollment Instructions for Experian IdentityWorks

• Ensure that you enroll by May 30, 2025 (Your code will not work after this date at 5:59 UTC)

• Visit the Experian IdentityWorks website to enroll: https://www.globalidworks.com/...

• Provide your activation code: MPRT987RFK

For questions about the product or help with enrollment, please email globalidworks@experian.com

Details Regarding Your Experian IdentityWorks Membership

A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:

• Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web.

• Fraud Remediation Tips: Self-help tips are available on your member center.

Offer: TransUnion Credit Monitoring Services – Available to Involved Students and Educators Who have Reached the Age of Majority in their Applicable Province or Territory

Enrollment Instructions for TransUnion myTrueIdentity

• Please visit http://www.powerschool.com/sec....

• There you will find a link to the validation website, https://CACreditMonitoringVali..., where you will be prompted to validate your information by entering your first name, last name and year of birth

• If your identity is validated, a pop up will appear that provides an activation code and provides you a link to TransUnion’s myTrueIdentity site to enroll

Details Regarding your myTrueIdentity Membership

Upon completion of the online enrollment process, you will have access to the following TransUnion myTrueIdentity features:

• Unlimited online access to your TransUnion Canada credit report, updated daily. A credit report is a snapshot of your financial history and one of the primary tools leveraged for determining credit-related identity theft or fraud.

• Unlimited online access to your CreditVision® Risk credit score, updated daily. A credit score is a three-digit number calculated based on the information contained in your TransUnion Canada credit report at a particular point in time.

• Credit monitoring, which provides you with email notifications to key changes on your TransUnion Canada credit report. In today’s virtual world, credit alerts are a powerful tool to help protect you against identity theft, enable quick action against potentially fraudulent activity and provide you with additional reassurance.

• Access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.

• Access to Identity Restoration agents who are available to assist you with questions about identity theft. In the unlikely event that you become a victim of fraud; a personal restoration specialist will help to resolve any identity theft. This service includes up to $1,000,000 of expense reimbursement insurance.

• Dark Web Monitoring, which monitors surface, social, deep, and dark websites for potentially exposed personal, identity and financial information and helps protect you against identity theft.

As soon as PowerSchool learned of the incident, we engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. We are not aware at this time of any identity theft attributable to this incident.

What Can You Do?

You are encouraged to remain vigilant against incidents of identity theft and fraud by reviewing account statements for suspicious activity. PowerSchool will never contact you by phone or email to request your personal or account information.

Other Important Information:

If you have any questions or concerns about this notice, please call 833-918-7884, Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays). Please be prepared to provide engagement number B138905.

Sincerely,

The PowerSchool Team

________________________________________________________________

February 3rd, 2025

Dear Valued Customers,

We sincerely appreciate your continued support as we respond to our recent cybersecurity incident. Since our last update, we have initiated the process of notifying involved individuals of the incident about the resources now available to them. As part of this process, we have posted a notice on our website. Credit monitoring and identity protection services are now activated and available.

In the coming weeks, Experian (on behalf of PowerSchool) will also be distributing direct email notifications to involved individuals for whom we have sufficient contact information. This email notice will include further information about the information of theirs involved and the resources PowerSchool is offering. Additionally, we have coordinated with Experian to set up a call center for your families and educators in case they have questions about these offerings.

As a reminder, PowerSchool is offering two years of complimentary identity protection services, which will be provided by Experian, for all current and former students, and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services, provided by TransUnion for students and educators who have reached the age of majority. We are doing this regardless of whether an individual’s Social Insurance Number was exfiltrated. This service is being provided by TransUnion because Experian does not offer credit monitoring in Canada; the Experian notice will include information about both service providers and how to apply.

We care deeply about keeping the students, families, and educators we support informed of this process. Please refer inquiring community members to the PowerSchool website for the latest information on the cybersecurity incident. To further support our districts and schools, PowerSchool has prepared template communications for your adapted use in conversation with families and educators as you see fit. The emails included below this message provide an update to both groups regarding the notification process and services PowerSchool is offering to involved students and educators.

Thank you for your partnership in supporting this process and the trust you have placed in our response. We acknowledge the significance of this incident and are committed to emerging from it stronger and better equipped to serve you and the communities we share.

Sincerely,

Hardeep Gulati

Chief Executive Officer, PowerSchool

________________________________________________________________

January 27th, 2025

Dear Valued Customers,

I am writing today to inform you that our investigation and data review into the scope of the cybersecurity incident has continued in earnest. As part of our commitment to keeping you informed, we are reaching out with an update on the latest steps we have taken in response to this incident and what you can expect over the coming days.

Importantly, this message requires no action on your part and serves simply as an update.

This afternoon, PowerSchool began the process of filing state attorneys general notifications across applicable U.S. jurisdictions on behalf of customers who did not opt-out of our offer to do so. PowerSchool has also started the process of notifying Canadian regulators.

For our U.S. customers, you may also have notification requirements with your state’s Department of Education. Since many customers have already notified and are in close contact with their state’s Department of Education, PowerSchool will defer to you on making these notifications.

In the coming days, PowerSchool will begin providing formal legal notice of the cybersecurity incident to current and former students (or their parents / guardians as applicable) and educators whose information was determined to be involved.

A direct email notification will be distributed by Experian on behalf of PowerSchool in the coming weeks to applicable current and former students (or their parents / guardians as applicable) and educators for whom we have sufficient contact information. PowerSchool will also launch a website and distribute a media release to ensure we reach as many involved individuals as possible and provide them with resources to protect their information. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool.

PowerSchool will also be providing you with communications materials to help navigate conversations with families and educators as part of our effort to support you with the expected inquiries from your community members.

Thank you for your ongoing patience and partnership.

Hardeep Gulati

Chief Executive Officer, PowerSchool

________________________________________________________________

January 22, 2025

Dear PowerSchool SIS Customer,

Thank you for your continued patience and partnership as we address the recent cybersecurity incident. Over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community.

As a PowerSchool SIS customer in Canada whose information was involved, I am writing to provide you with updates on several important next steps:

Identity Protection and Credit Monitoring Services: PowerSchool has engaged TransUnion and Experian, trusted credit reporting agencies, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. The offered credit monitoring services in Canada, which will be available for those who have reached the age of majority, will be provided by TransUnion; the offered identity protection services, which will be available for all involved students and educators, will be provided by Experian for both the United States and Canada. This offer is being provided regardless of whether an individual’s Social Insurance Number was exfiltrated.

• Identity Protection: PowerSchool will be offering two years of complimentary identity protection services, which will be provided by Experian, for all students and educators whose information was involved.

• Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services, which will be provided by TransUnion, for all students and educators who have reached the age of majority whose information was involved. This service is being provided by TransUnion because Experian does not offer credit monitoring in Canada.

Notifications: Starting in the next few weeks, PowerSchool will be handling notifications to involved individuals and the necessary privacy regulators on your behalf. We hope to relieve the burden of these notifications on you and your institution.  

• Community: PowerSchool will coordinate with TransUnion and Experian, to provide notice on your behalf to students, parents / guardians and educators, as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).  

In this Community link, you will find a fact sheet with additional details on these steps and the incident, a template that we intend to use to notify students and educators via email addresses, where available, whose information was involved, and a proposed communication that you may choose to share with families and educators to keep them informed on these steps. We are providing this communication package to technical contacts listed by your organization with PowerSchool. Please share as appropriate to relevant leaders in your organization.

I sincerely value the trust you have placed in PowerSchool. We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving you and our shared community.

We appreciate all that you are doing to support families and educators through this process.

Sincerely,

Hardeep Gulati

Chief Executive Officer, PowerSchool


________________________________________________________________ 

Januaruy 22nd Update from Thrive Elementary

Following the notification from PowerSchool about the cybersecurity incident and our subsequent emails alerting student parents and teachers, Thrive is continuing to work with PowerSchool to understand more details from their investigation. This page will provide any new details on the incident as they become available.

Both PowerSchool and Thrive Elementary have taken the necessary security actions to address future unauthorized actions. Please note that this was a service provider breach (PowerSchool SIS) that affected many school districts in Canada, and not a breach of Thrive’s internal systems infrastructure.

Thrive Elementary IT department has completed an assessment of what information was accessed by the unauthorized party and determined the following data was exported during the incident:

Teacher Data in the Export:

• Name (first, last, preferred)

• Email Address (Only @goauto.ca or @thriveschool.ca, apart from one user who had a Gmail address in their account details)

• Phone number (only populated for one staff member)

• Job Title (only populated for some staff)

• Various internal PowerSchool values (i.e. the school ID, the permission profile ID, etc.)

Student Data in the Export:

• Name (first, middle, last)

• Mailing address

• Home phone

• Alerts (guardian, medical, other)

• Academic status (i.e. grade, school, date of enrollment/exit)

• Entry and Exit Codes, along with Exit Comments

• Date of Birth

• Gender

• Alberta Student Number

• Thrive student number

• Various internal PowerSchool values (i.e. the school ID, the internal ID for contacts associated to the student, etc.)

A few important pieces of information that did NOT appear in the student export:

• Any grade information

• Any attendance information

• Any Alberta coding information that details FNMI status, learning disabilities, etc.

• Contact details for individuals associated to the student account. Only the mailing address and home phone directly attached to the student were exported.