PowerSchool, a major school database provider, finds itself in the center of a data breach crisis, with Greenville Public Schools in West Michigan revealed as one of the affected districts. Superintendent Wayne Roedel informed parents about the exposure of students' personal information. Compromised data includes names, GPS ID numbers, addresses, birth dates, grade levels, entry and exit dates, doctor names, gender, home phone numbers, and medical alert information. However, Roedel confirmed that social security numbers, along with academic performance and scheduling details, were not accessed in the breach, as reported by FOX 17.
PowerSchool's response to the breach, which utilized the credentials of a technical support employee to extract records from December 19 to 24, 2024, includes the engagement of cybersecurity firm CrowdStrike and updated security measures. Addressing the seriousness of the incident, Roedel stated, "We are extremely disappointed in this security lapse and are in constant communication with PowerSchool to understand how this could have happened and what they are doing to prevent future incidents," as FOX 17 detailed.
Kalamazoo and Paw Paw Public Schools have also been implicated in the breach, with both districts' student data being exposed. Kalamazoo Public Schools Superintendent Dr. Darrin Slade disclosed that although basic student information was exported, social security numbers were not compromised, according to WWMT. Additionally, staff names and school emails were accessed but no further personal or financial information seems to have been retrieved in the breach.
Across the state, other districts like those in the Jackson Intermediate School District, use PowerSchool but it remains unclear to what extent they have been affected. Tom Holt, an MSU cybersecurity expert, warned that despite the containment of the breach, the occurrence poses potential risks like extortion or financial scams targeting parents. "This is one of those things where, parents especially, need to be very mindful of any requests that they get, any emails that they’re getting from the school, or otherwise," Holt stated, in a sentiment acquired by WILX.
The breach has prompted Kalamazoo and Paw Paw districts to emphasize their commitment to data security, using robust measures such as two-factor authentication and staff security training. Both districts also plan to regularly update the affected families as further information comes to light. In a statement shared with WWMT, Kalamazoo's Dr. Slade declared, "PowerSchool has received reasonable assurance that all of the copied data has been destroyed by the threat actor and does not believe this data will be made public." The incident remains under investigation as PowerSchool and cybersecurity experts strive to circumvent future leaks and bolster their defenses.