Important PowerSchool Announcement
January 9, 2025
Dear Winnetka families,
On Tuesday afternoon, January 7, the District was informed by PowerSchool, our Student Information System (SIS), of a recent data breach impacting many of the 18,000 school districts that use PowerSchool globally.
Working with PowerSchool and our Technology Department, we have determined that approximately 7,500 records of current and former Winnetka students were accessed. This message shares what we have found, based on the information PowerSchool has provided. We will provide future updates if we discover additional information.
We are extremely concerned about this lapse in security on PowerSchool’s part and are in constant communication with the company to understand how this could have happened and what they are doing to prevent future incidents. The information captured below is all of the information available to us at this time. While we understand your shared concern, we will be unable to provide any further detail to those who reach out to the schools or District Office following this communication. Any further detail we receive from PowerSchool will be shared with families as soon as it is made available to us.
What happened?
On December 28, 2024, PowerSchool discovered that a hacker accessed personal employee and student information from customers worldwide using the PowerSchool SIS. The hacker exploited the user account of a PowerSchool technical support employee, allowing rapid access to download millions of records from schools worldwide between December 19 and December 24, 2024.
What type of information was accessed at The Winnetka Public Schools?
Using the instructions provided by PowerSchool, our Technology Department identified the fields accessed in Winnetka. For current students, that information includes:
Student names and Winnetka ID numbers
Student addresses
Student birth dates
Parent/guardian/emergency contact names, email, and phone numbers
Transfer information
Medical Alert (indication of a need for support, but no medical records tied to the need were breached)
The PowerSchool records accessed for current students DO NOT include grades, GPA, medical records, financial information, special education status, schedule information, or Social Security numbers.
What’s next?
PowerSchool has told its customers that they do not anticipate the data being shared or made public, and that they believe it has been deleted without any further replication or dissemination. In addition, PowerSchool has taken the following steps in response to the breach:
Engaged CrowdStrike, a third-party cybersecurity firm, to investigate the breach. Their final forensic report is expected to be released at the end of next week and will provide a clearer understanding of the incident and its potential impact.
Implemented additional information security best practices requiring updated credentials for all employees, and restricting access to their support system tools.
What can families do?
Given that the data that was stolen from Winnetka is less sensitive and more difficult to exploit, the threat level is relatively low. In situations like these, the most common outcome would be an increase in spam or phishing attacks targeted at the email addresses that were stolen. Students are unable to receive email from outside the District, and should be insulated from these phishing attempts. We recommend that families:
Remain watchful for any suspicious emails.
Avoid clicking links or attachments that you did not specifically request.
Confirm any unusual requests for information or payment using other means before you act.
Remind your children not to respond to a suspicious email or text and to report it to an adult right away.
The Winnetka Public Schools is reviewing our extensive data protection tools and policies to make sure we continue to employ the strongest possible information security protections. We are collaborating closely with other impacted school districts and leveraging our membership in both statewide and national educational technology organizations to ensure we have taken every possible step in responding to the data breach.
We know that incidents like these are upsetting, and we share your concern. Please know that we are doing everything we can to assure that nothing like this incident can happen again. We will continue to keep you informed of any new information we receive from PowerSchool regarding this incident.
Sincerely,
Steve Wilt
Chief School Business Official
The Winnetka Public Schools