Letter to D29 Families sent January 9, 2025

Dear District 29 Families & Staff-

On Tuesday afternoon, January 7, District 29 was informed by PowerSchool, our Student Information System (SIS), of a recent data breach impacting many of the 18,000 school districts that use PowerSchool globally. 

Working with PowerSchool and our Technology Department, we have determined that some records of current and former District 29 students and staff were accessed. This note shares what we have found, based on the information PowerSchool has provided. We will provide future updates if we discover additional information.

We are extremely disappointed in this security lapse and are in constant communication with PowerSchool to understand how this could have happened and what they are doing to prevent future incidents. 

What happened? 

On December 28, 2024, PowerSchool discovered that a threat actor had accessed staff and student information from customers worldwide using the PowerSchool SIS. The threat actor exploited the user account of a PowerSchool technical support employee, allowing rapid access to download millions of records from schools worldwide between December 19 and December 24, 2024.

What type of information was accessed related to District 29? 

• Student & Staff names and District 29 ID numbers (Not Social Security Numbers)

• Student & Staff gender 

• Student & Staff addresses

• Student & Staff email addresses

• Student birth dates

• Parent/guardian/emergency contact names and phone numbers

*******The PowerSchool records accessed DO NOT include grades, medical information, financial information, special education status, schedule information, or Social Security numbers.

What’s next? 

PowerSchool has told its customers that they do not anticipate the data being shared or made public, and that they believe it has been deleted without any further replication or dissemination. In addition, PowerSchool has taken the following steps in response to the breach: 

• Engaged CrowdStrike, a third-party cybersecurity firm, to investigate the breach. Their final forensic report is expected to be released at the end of next week and will provide a clearer understanding of the incident and its potential impact.

• Implemented additional information security best practices requiring updated credentials for all employees, and restricting access to their support system tools. 

District 29 is reviewing our extensive data protection tools, policies, and agreements with vendors that store information related to our students to make sure we continue to employ the strongest possible information security protections. We are collaborating closely with other impacted school districts and leveraging our membership in both statewide and national educational technology organizations to ensure we have taken every possible step in responding to the data breach.

We know that incidents like these are upsetting, and we share your concern. Please know that we are doing everything we can to prevent these types of incidents in the future.

If you have any questions, please reach out to me at stangee@srd29.org.

Sincerely,

Edward J. Stange, Ph.D.

District 29 Superintendent of Schools