The following email was sent out on January 9, 2025:
To: Lexington Two Families and Staff
Re: PowerSchool Cybersecurity Incident
This week, Lexington School District Two was informed by the SC Department of Education and contracted vendor PowerSchool, the hosting company and provider of the district’s student information system (SIS), about a cybersecurity breach that occurred in late December 2024. Earlier today, we were able to meet with Department of Education officials in order to get a better understanding of the situation across our state.
The breach involved student and staff records not only in South Carolina school districts but also from multiple other states and countries. This was an international criminal incident against PowerSchool, over which state and local districts had no control.
Lexington Two has initiated our response plan on the local level, including contacting the South Carolina Law Enforcement Division (SLED). In addition, district administration is following recommended guidance from PowerSchool and the SC Department of Education and is working with them in investigating how this PowerSchool breach affects our district.
This cybersecurity incident is very concerning. Please know that as we get more information, we will share updates with district families and employees. In the meantime, we are including some of the communications we have received regarding the breach – from PowerSchool, the SC Department of Education, and SLED and South Carolina Critical Infrastructure Cybersecurity. SLED’s memo includes some recommended steps for those potentially affected.
_______________________________
News release from the SC Department of Education, dated January 8, 2025:
WEST COLUMBIA, SC – Late Tuesday, the South Carolina Department of Education (SCDE) was informed by PowerSchool of a cybersecurity breach involving its PowerSource portal. This was an international incident over which the state and local districts had no control.
This breach resulted in unauthorized access to certain customer data from PowerSchool’s Student Information Systems (SIS), including data from multiple states and school districts across the country.
During a meeting with PowerSchool’s senior leadership, they confirmed that personally identifiable information (PII) was compromised. The SCDE is currently working to understand the full scope of the breach.
PowerSchool has stated that this breach has been contained and has informed the SCDE that it has taken steps to secure its systems, engage cybersecurity experts, and is also coordinating with law enforcement to address the breach.
The SCDE is actively communicating with PowerSchool, legal counsel, and local districts to assess the full impact on South Carolina schools, students, and educators and to determine next steps. The SCDE is also in direct communication with the State Law Enforcement Division (SLED), the Attorney General’s office and has notified the Governor and legislative leaders.
Commenting on the seriousness of this incident, State Superintendent of Education Ellen Weaver said, “The protection of our South Carolina students’ and educators’ personal data is non-negotiable. We fully recognize the anxiety this raises for them and their families.”
She continued, “While PowerSchool has taken accountability for this breach, our Department will take uncompromising action to ensure we uncover the complete extent of this incident. We will insist that PowerSchool not only notify affected individuals but also provide them with credit and identity monitoring services."
The SCDE will continue to engage and support districts and schools throughout this process as more information becomes available.
_______________________________
Related:
Click this link to read the notification from PowerSchool to districts, sent January 7, 2025