School data breached in cyberattack
Millions paid to delete stolen data, superintendent says
Staff writer
Marion schools were among thousands nationwide to have data stolen from its PowerSchool website.
PowerSchool is used by 16,000 organizations serving more than 50 million students.
“It happened at their end,” superintendent Justin Wasmuth said. “We’re part of thousands of schools.”
PowerSchool’s system was breached Dec. 2, but the software company didn’t notice the breach until Dec. 28, Wasmuth said.
The district wasn’t notified its data had been stolen until Jan. 8.
PowerSchool paid what Wasmuth estimated to be millions of dollars in ransom to cybercriminals who hacked into its system. The company was told stolen data would been deleted.
Wasmuth said the hackers gained access to certain PowerSchool customers’ data by using a stolen credential to breach a customer support portal.
“PowerSchool isolated the incident without having to go farther than just their portal, and not the other companies that PowerSchool manages,” Wasmuth said.
When PowerSchool notified the district of the breach, the company said it would provide more information as it became available.
On Thursday, the district had enough information to notify parents.
“On our end, our insurance has cybersecurity coverage, and we have been told to send this in just in case anything more happens,” Wasmuth said.
The district uses PowerSchool to keep records on student grades, demographics, medical histories, and similar information, Wasmuth said. It also uses PowerSchool to store data on teachers.
“This is the first data breach we’ve had to deal with, and we’re working with PowerSchool to make sure they are more stringent, and this doesn’t happen again,” he said.
State Department of Education spokesman Denise Kahler said she didn’t know how many districts in the state had been affected.
“We have very limited information,” she said. “We are advising all districts to reset passwords for all district level common authenticated applications that are tied to staff and/or student information.
“While no data housed by KSDE was impacted, we are requiring user password resets for all our common authenticated applications out of an abundance of caution.”
Marion was the only district in the county affected. Hillsboro superintendent Clint Corby said his district uses a different system, called Skyward.
“We were not affected in the data breach,” Corby said.
Peabody-Burns superintendent Antoinette Root and Goessel superintendent Mark Crawford said their districts likewise did not use PowerSchool.
PowerSchool is owned by Bain Capital, which paid $5.6 billion for the company in 2024.
Marion schools pay the company $7,514.13 a year for the service.