Skip to main content
Data Privacy and Security

Data Privacy and Security

PowerSchool Data Breach

Update January 17, 2025.

For Educational Agencies that have filed their PowerSchool Data Breach Report and need to update some of the provided information, they can file the new PowerSchool Update Form. This form may be submitted multiple times.

 

The following email was sent to all DPOs on Friday, January 10, 2025.

Dear DPO: 

This email is to inform you that the New York State Education Department’s Privacy Office has created a PowerSchool specific incident report form.  This form is to be used for all PowerSchool SIS data incidents that are being reported to the Privacy Office in connection with the December 28, 2024, discovery of a PowerSchool cybersecurity incident.

Before completing the form, educational agencies should know the number of affected students, teachers and principals, the data elements for students, teachers and principals, and the notification date. Additionally, for teachers and principals we are requesting information on what personal information was affected, including, but not limited to: their name, social security number, birth date, ethnicity, email address, gender identification, home address, and phone.  If you are uncomfortable waiting to file the data incident report, send an email to privacy@nysed.gov to let us know you are still gathering information to submit the report.

Please be aware that, in accordance with section 121.10 of the Commissioner’s regulations, all educational agencies must report the data incident, even if the product was purchased from your Regional Information Center (RIC).

Like the Illuminate Education data breach that occurred in late 2021/early 2022, former students may be affected by this breach.  Therefore, we recommend that educational agencies put a notification on their web page to capture as wide an audience as possible.

Finally, no matter what notice you received from PowerSchool (i.e. your educational agency’s data was breached or it was not breached), we recommend that each educational agency review the SIS log files by using the steps outlined in PowerSchool’s  Community article.  It is our understanding that some educational agencies are finding that the information contained in the original notice from PowerSchool is inconsistent with the findings on their log files. Also, former PowerSchool customers whose data was hosted by PowerSchool may have been adversely affected by this incident and should contact PowerSchool to determine whether PowerSchool is still holding their data and, if it is, whether their data was adversely affected.

The news of a student information system data breach is not how any of us wanted to start 2025 but please know that the Privacy Office will diligently work with all of New York’s educational agency’s responding to this incident.