A cybersecurity attack on a major school software platform has exposed student and teacher data at schools across North America — including the Rochester City School District.
About 134,000 Rochester student records were leaked in the PowerSchool data breach, according to RCSD data privacy officer Terri Orden.
“Our technology team has identified the specific RCSD information that may have been accessed,” Orden said in a statement that was updated on Thursday. “Including first name, last name, date of birth, home address, email address, all phone numbers, and emergency contacts.”
Orden added that medical information and legal alerts may have also been accessed, along with some staff information like names and emails.
PowerSchool became aware of the breach on Dec. 28, according to a notice published earlier this month, which exposed Social Security numbers and other data.
“We have no evidence that other PowerSchool products were affected as a result of this incident, or that there is any malware or continued unauthorized activity in the PowerSchool environment,” the PowerSchool notice states.
As of this week, the company said it has notified state attorneys general offices where schools were affected — listing New York among? ten states and D.C.
In response to the cyberattack, the company is coordinating with credit reporting agencies TransUnion and Experian to provide two years of free identity protection services for people whose information was exposed, including free credit monitoring for adults.
The deadline to apply for those services is May 30. Details on how to enroll and steps to take to avoid or report identity theft are available on PowerSchool’s website.
Earlier this month, the New York State Education Department (NYSED) wrote to schools advising how to file incident reports related to the data breach.
“Former students may be affected by this breach,” the state education department letter read. “No matter what notice you received from PowerSchool ... It is our understanding that some educational agencies are finding that the information contained in the original notice from PowerSchool is inconsistent with the findings on their log files.
“Former PowerSchool customers whose data was hosted by PowerSchool may have been adversely affected by this incident,” NYSED's letter continues, “and should contact PowerSchool to determine whether PowerSchool is still holding their data and, if it is, whether their data was adversely affected.”
