PowerSchool CyberSecurity Incident FAQs

On December 28th 2024, PowerSchool, a provider of a Student Information System (SIS), experienced a cyberattack. Unauthorised access to their customer support portal allowed a threat actor to steal certain data related to students, families, and educators. This access was gained through the compromised credentials of a customer support engineer. PowerSchool has stated that it has received evidence that the compromised data has been deleted after paying a ransom, however,  there remains a possibility of misuse of the compromised information.

As a Data Controller, your organisation undertakes responsibility for the data protection compliance of the vendors that you appoint. In most jurisdictions, this includes ensuring that you have carried out appropriate due diligence (Vendor Assessments), documenting the vendor’s data processing activities (Records of Processing Activities), and completing the necessary risk assessments (Data Protection Impact Assessments).

When a data breach occurs to one of your Data Processors, your school is responsible for investigating and reporting the breach. Ultimately, the school is held to account because your school is the decision-maker for how the data is processed.

Your school should carry out the following steps to ensure that the data breach is fully investigated and resulting risks are mitigated:

• Following your internal incident breach policy and procedures, carry out an incident investigation to understand how data has been affected.
• Establish what data has been affected and who the data subjects are.
• Once the scope of the breach has been confirmed, assess whether the breach exceeds the threshold for conducting a breach notification to your data protection regulator and data subjects.
• Ensure that you have appropriate due diligence in place for PowerSchool including:
  • A completed vendor assessment, noting any risks posed by the vendor’s data processing practices.
  • A completed Record of Processing Activity for PowerSchool’s use within the school.
  • A completed Data Protection Impact Assessment for PowerSchool’s use within the school.

When considering whether you need to report a data breach to data subjects or the data protection regulator in your jurisdiction you must refer to the legal requirements in your country. 

If your jurisdiction has a reporting requirement within the data protection law, it will specify a threshold that is met to trigger notification. When carrying out your incident investigation you should consider whether the scope of the data that has been breached triggers the notification requirement. 

Some jurisdictions will list certain categories of data that must be included in the notification to the regulator. Others may state that your school make an assessment based on the likelihood of harm that might come about from the breach and should that likelihood be considered high risk, a notification must be issued.

Should your school require assistance with understanding the breach reporting thresholds, you can reach out for consultancy support by contacting support@9ine.com or via the website.

Most data protection regulations contain prescriptive timeframes that an organisation must adhere to when notifying data breaches to the regulator. It is recommended that your school reports within this timeframe, even if you do not have all the information known at that point to avoid breaching these statutory requirements. Supplementary information can be provided to the regulator at a later date. Some regulators will ask that you record whether the notification is a ‘full’ or ‘partial’ report which provides recognition that organisations may not know full details at the time of making a report. 

Generally, a notification to data subjects should include:

• The name and contact details of the data protection officer, data protection lead or another individual at the school who can provide further information to data subjects.
• What the consequences of the personal data breach are likely to be.
• The measures taken or planned to deal with the breach and the measures taken to mitigate any possible adverse effects  (in this case these will include measures taken by PowerSchool and any you have taken at your school).
• Any specific advice on the steps individuals can take to protect themselves, and any help your school can offer. This could include advising that they reset passwords or telling them to be alert for phishing emails or fraudulent activity on their accounts.

However, the requirements may differ between jurisdictions.

It is important to notify data subjects about the breach in a clear and transparent manner and within the time frames set out by the relevant regulation for your jurisdiction. The best way to do this is via email. If however you do not have email addresses for all data subjects, you should consider other ways to inform them of the breach. This may be through your community portals or spaces, or via a notification on your website. You should however also consider that a data breach notification can be alarming and consider ways to minimise concern of unaffected individuals. 

If your data is unaffected you aren’t required to notify the regulator or your data subjects about the incident. 

However, regardless of the breach, you should have certain measures in place to manage your use of PowerSchool.

• Ensure that you have recorded the use of PowerSchool in a Record of Processing. This is a requirement in most countries and allows you to understand what data is being processed, how it is used, who it is shared with and how long it is stored.
• Most countries’ regulations will require that a risk assessment, either a Data Protection Impact Assessment or a Privacy Impact Assessment, is completed to identify the risks associated with this use of PowerSchool and any controls or mitigations in place to reduce the risks. 
• Your school should carry out a review of PowerSchool as a vendor. This includes a review of the agreements or contracts you have in place with PowerSchool to identify any gaps in data privacy and protection requirements and how your school will mitigate them.  

The 9ine Platform provides a number of solutions which support your school to carry out these steps.

Resources: 

We have created a template ‘Incident’ for the PowerSchool breach within the 9ine Platform that is free for schools to access, tailor and use for evaluating the extent of the breach, to determine if it meets a reportable threshold and document their actions. This is available for 14 days, and can be downloaded for future reference. Access is available here. 

Webinar 

PowerSchool Cyber Attack - Tuesday 14th March - Not To Be Missed

We are hosting two webinars on the attack where you can learn more about the attack, incident response, assessment and implications of the PowerSchool DPA. 8.30am GMT Tuesday 14th January, or 3pm GMT Tuesday 14th January.

Guidance

If your school is affected, we can also provide support with

• Guidance on next steps at your school
• Determining if you need to notify the regulator and data subjects, and if so how to provide notification
• Carrying out a vendor assessment to identify any gaps in data privacy and protection requirements and how you can mitigate them. 
• Completing a Records of Processing and a DPIA for your SIS
• Creating or review of an existing Incident and Data Breach Policy and Procedure to ensure you are ready for any future incidents

You can reach out for consultancy support by contacting your consultant or emailing support@9ine.com or via the website.