Delaware Valley SD says PowerSchool breach exposed names, addresses and phone numbers; district orders password reset
January 18, 2025 | Delaware Valley SD, School Districts, Pennsylvania
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Superintendent Dr. Blom told the Delaware Valley School District Board of Directors that a recent security breach at PowerSchool, the district’s learning-management system, exposed names, phone numbers and addresses for some district families and staff, though the district does not store Social Security numbers in that system.
The disclosure, which Dr. Blom described as part of a widespread compromise affecting more than 17,000 school districts that use PowerSchool, prompted the district to force a password reset for all users and to prepare a parent notification. "We do not keep anybody's Social Security numbers in PowerSchool," Dr. Blom said, adding that the compromised files were limited to information "you could essentially Google and find on people." He said PowerSchool and the district’s cyber insurance carrier are investigating the incident.
Why it matters: The breach affects district families and employees and comes from a third party that hosts critical student- and staff-related data. The board heard that the district will be transparent with families even where legal counsel said notification was not strictly required.
Board members asked whether the district hosted the data locally or in the cloud. Dr. Blom replied the district moved from an on-site server to PowerSchool’s cloud over the summer, which is why the issue affected districts that use the vendor’s hosted service. He also said districts that still self-hosted were potentially affected if PowerSchool technicians used remote access.
The superintendent said the district did not lose or have records deleted; rather, files were viewed by the intruders. Dr. Blom said the district will send a districtwide “Connect” message using a parent notification template PowerSchool drafted and will provide families a contact point for questions.
Board context and next steps: The board did not take a formal vote on actions related to the breach at the meeting. Dr. Blom reported the following actions had already been taken or were planned: a forced password reset for all district accounts, an email to students, and a parent notification to be sent the next day. He also encouraged parents to contact the district with questions.
The superintendent said the district’s cyber attorneys advised that no notification was strictly required in the district’s case, but the administration chose to notify families anyway. No fines, ransom demands or data deletions were reported during the meeting.
The disclosure, which Dr. Blom described as part of a widespread compromise affecting more than 17,000 school districts that use PowerSchool, prompted the district to force a password reset for all users and to prepare a parent notification. "We do not keep anybody's Social Security numbers in PowerSchool," Dr. Blom said, adding that the compromised files were limited to information "you could essentially Google and find on people." He said PowerSchool and the district’s cyber insurance carrier are investigating the incident.
Why it matters: The breach affects district families and employees and comes from a third party that hosts critical student- and staff-related data. The board heard that the district will be transparent with families even where legal counsel said notification was not strictly required.
Board members asked whether the district hosted the data locally or in the cloud. Dr. Blom replied the district moved from an on-site server to PowerSchool’s cloud over the summer, which is why the issue affected districts that use the vendor’s hosted service. He also said districts that still self-hosted were potentially affected if PowerSchool technicians used remote access.
The superintendent said the district did not lose or have records deleted; rather, files were viewed by the intruders. Dr. Blom said the district will send a districtwide “Connect” message using a parent notification template PowerSchool drafted and will provide families a contact point for questions.
Board context and next steps: The board did not take a formal vote on actions related to the breach at the meeting. Dr. Blom reported the following actions had already been taken or were planned: a forced password reset for all district accounts, an email to students, and a parent notification to be sent the next day. He also encouraged parents to contact the district with questions.
The superintendent said the district’s cyber attorneys advised that no notification was strictly required in the district’s case, but the administration chose to notify families anyway. No fines, ransom demands or data deletions were reported during the meeting.
View full meeting
This article is based on a recent meeting—watch the full video and explore the complete transcript for deeper insights into the discussion.
View full meeting