Evanston/Skokie School District 65 announced Friday morning that it, along with 18,000 other districts nationwide, was hit by a data breach of the education tech company PowerSchool, a platform that stores student demographic and academic information.
PowerSchool notified District 65 of the breach on Tuesday, Jan. 7, according to a Friday statement sent to families from Assistant Superintendent of Performance Management and Accountability Stacy Beardsley. The district spent the last few days working with PowerSchool to identify the exact information included in the breach before sending the note to the community on Friday.
“We are deeply troubled by this lapse in security and are working closely with PowerSchool as well as other school districts to learn more about what happened,” Beardsley said.
The information accessed by the “threat actor” who hacked PowerSchool included student names and District 65 ID numbers, addresses, birth dates, guardian email addresses, transfer dates for the last active school year the student was enrolled, student lunch PINs, free/reduced lunch status and health concerns like allergies, if a student wears glasses and medical conditions like epilepsy or asthma.
The breach, however, did not include grades, GPAs, financial information, special education status, schedule information or Social Security numbers.
This isn’t the first time PowerSchool has come under fire — the tech company is currently being sued in a class action lawsuit alleging that the company sells student data without parents’ informed consent.
How the breach happened
“On Dec. 28, 2024, PowerSchool discovered that a threat actor had accessed personal employee and student information from customers nationwide using the PowerSchool SIS [Student Information System],” Beardsley wrote.
The threat actor was able to see student records from Dec. 19 to 24 by using the user account of a PowerSchool tech support employee.
According to the district, the company has told customers that it doesn’t anticipate this data being made public.
Looking ahead
PowerSchool has required all employees to update their credentials and restricted access to some of its tools in the wake of the breach.
The company also hired the cybersecurity firm CrowdStrike to look into the hack.
“Their final forensic report is expected to be released at the end of next week and will provide a clearer understanding of the incident and its potential impact,” according to Beardsley.
Other PowerSchool users
Evanston Township High School also uses a product owned by PowerSchool, but confirmed with the company that students and teachers were not impacted.
“Though there is no evidence of impact to the District, ETHS remains proactive and vigilant in working closely with PowerSchool to monitor this matter and any further developments,” Mike Corcoran, ETHS chief technology officer, said in an email to families. “We are actively communicating with PowerSchool to understand how this breach occurred and what measures are being implemented to prevent similar incidents in the future.”
The breach did affect a number of other North Shore school districts, including New Trier High School and schools in Wilmette District 39, Winnetka District 36, Sunset Ridge District 28 and Avoca District 37.
Nearly 200 school districts in Illinois used PowerSchool’s services in 2022-2023, according to data initially reported by local writer Tom Hayden, racking up $11 million a year in payments to the company.
District 65 affected by massive data breach is from Evanston RoundTable, Evanston's most trusted source for unbiased, in-depth journalism.