Bayfield Schools impacted by PowerSchool data breach

Bayfield School District learned this week that the PowerSchool Student Information System (“SIS”) was compromised during the holiday break. The incident occurred between December 19 and December 22 with the school district being made aware of the attack on January 7, 2025. Bayfield School District’s data, along with other PowerSchool customers, was compromised. The compromised data includes the personal information of students and staff members.

A cybersecurity incident notification was sent to the district on Tuesday afternoon to alert school officials that some of Bayfield’s records may have been exposed in the breach.

We are reaching out to inform you that on December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed,” the notice stated.

Dylan Cann, the Data Services Coordinator for Bayfield School District, said that many school districts were impacted by the breach, and after working through steps outlined by PowerSchool he was able to confirm that some district records had, in fact, been stolen in the hack.

“PowerSchool informed us that the taken data primarily includes parent and student contact information with data elements such as name and address information. They are working with urgency to complete their investigation and determine whether PII belonging to our students was included,” Cann reported.

Fortunately, it appears that PowerSchool was able to prevent the data involved from further unauthorized access or misuse.

“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” the notification sent to affected districts stated.

It has been reported that the company paid a ransom to prevent the data from being released, and worked with an advisor experienced in negotiating with “threat actors” to make sure that the stolen data was deleted and no additional copies exist.

“We have taken all appropriate steps to further prevent the exposure of information affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations,” the notification said.

Cann said he is continuing to work with PowerSchool to identify the district’s next steps, and he attended a webinar on Thursday afternoon to learn more about the incident.

PowerSchool indicated that they are preparing a communications package to help affected school districts inform families, teachers and other stakeholders about the incident.

“PowerSchool is committed to working diligently with customers to communicate with your educators, families, and other stakeholders. We are equipped to conduct a thorough notification process to all impacted individuals. Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process,” the notification said.

Bayfield School District Superintendent Leon Hanhardt said he felt it was important to inform the community of the breach right away, however, and indicated that further information will be provided to stakeholders when the company does share communications material with the district.

“We thought it was important to alert our people to the fact that this has happened, and bring everybody up to speed with what we know right now,” he said. “We are relieved to be told that this stolen data has been deleted and will not be shared, and will continue to engage with the company to make sure that our stakeholders are protected.”

Published