Education

Student info from numerous Chicago-area school districts hacked in data breach

A number of Chicago-area schools revealed data such as student and parent names, contact information and allergy alerts had been accessed.

Getty Images

Personal data from a number of Chicago-area school districts was obtained in a cyberattack targeting PowerSchool, a popular education software company, many districts revealed this week.

Burbank School District 11, in a letter to the school community, said "an unauthorized party gained access to certain PowerSchool Student Information System data using a compromised PowerSchool credential," impacting the more than 18,000 districts worldwide that use the platform.

Another area school district, Oswego Community Unit School District 308, said the breach occurred on Dec. 28, 2024 and the incident has since been "contained."

When PowerSchool became aware of what occurred, the company notified law enforcement, locked down its system and engaged the services of CrowdStrike - a cybersecurity company - and Cyber Steward - an advisor with experience in negotiating with threat actors, according to Oswego CUSD 208.

Several other districts posted notices on their websites, revealing which information was compromised.

Bremen High School District 228, which serves more than 5,000 students in the south suburbs, said it was informed it may be among the districts whose data may have been accessed.

"District 228 has not received specific details about the extent in which D228 faculty and student information was accessed and they have assured us that further analysis of our particular situation will be shared in the weeks ahead," the district stated.

Community Consolidated School District 146, which serves Tinley Park, Orland Park and Oak Forest, said some of its data had been impacted.

"PowerSchool informed us that the taken data primarily includes parent and student contact information such as name and address," the district stated, in part. "However, some personally identifiable information for a portion of their entire customer base has also been accessed. PowerSchool is working with urgency to complete their investigation and determine whether PII belonging to District 146 students was included."

Burbank School District 11, said the following information about students "was reasonably believed to have been affected:" first, middle, and last name, birth date, address, phone number, gender, ethnicity/race, language, school name, school/state student ID numbers, guardian alert, guardian name, enrollment information, lunch waiver information, and student PowerSchool login ID. 

Oswego CUSD 308, in a notice on its website, said parent and student contact information, as well as allergy alerts from its district had been compromised.

Meanwhile, Mundelein High School District 120 advised parents the following personal information may have been obtained: names, birthdates, email addresses and limited medical information.

Lake Forest Districts 67 and 115 revealed the following district data had been accessed in the breach:

Impacted Student Data

District 67: 7,730 records accessed, ranging from 2013-2024
District 115: 10,244 records accessed, ranging from 2013-2024

  • Student name and ID number
  • Parent/guardian contact information 
  • Dates of enrollment and withdrawal reasons
  • Bus stop code 
  • Physician’s name and phone number
  • Limited medical alert information (e.g., allergies)
  • Existence of an IEP or 504, not plan specifics or eligibility information
  • Student school and homeroom

Impacted Staff Data

District 67: 820 records accessed, ranging from 2013-2024
District 115: 1,204 records accessed, ranging from 2013-2024

  • Employee name
  • PowerSchool ID number
  • IEIN number
  • Most recent department
  • Employee type
  • School email address

Other impacted school districts include:

  • Beach Park District 3
  • Harvey School District 125
  • Lake Ridge New Tech School Corporation - Gary, Indiana
  • Lincolnshire–Prairie View School District 103
  • North Chicago School District 187
  • Prospect Heights School District 23
  • Zion Elementary District 6

An additional affected district, Northwest Indiana's Hanover Community School Corporation, shared the following letter from PowerSchool on its website.

"As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource.

Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System ("SIS") customer data using a compromised credential, and we regret to inform you that your data was accessed.
Please review the following information and be sure to share this with relevant security individuals at your organization.

As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.

We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.

Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.

Rest assured, we have taken all appropriate steps to prevent the data involved from further
unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.
We have also deactivated the compromised credential and restricted all access to the affected portal.

Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.

PowerSchool is committed to working diligently with customers to communicate with your educators, families, and other stakeholders. We are equipped to conduct a thorough notification process to all impacted individuals. Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process.

We have taken all appropriate steps to further prevent the exposure of information affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident,

PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.

We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together.

Thank you for your continued support and partnership."

Contact Us