What is a Data Breach?
A breach refers to the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of covered information maintained by an operator or school.
Parents will be notified of breaches of covered information within 30 calendar days of receipt of notice that a breach has occurred. Notification may be delayed if this would interfere with a criminal investigation. Notification will include, but is not limited to:
- The date of the breach
- The description of the covered information that was compromised
- Information that the parent may use to contact the operator and the school about the breach
- Toll-free numbers and other information for consumer reporting agencies
- Toll-free numbers and other information for the Federal Trade Commission (FTC)
- A statement that the parent may obtain information from the FTC and consumer reporting agencies about fraud alerts and security freezes.
Breach Notifications
Data breaches that meet the threshold set by the Student Online Personal Protection Act will be posted below as soon as the district is notified.
January 14, 2025: PowerSchool (Update)
IMSA is monitoring communications from Powerschool about the nationwide incident reported. Here is a webpage notification to customers and families impacted by PowerSchool’s data breach: https://www.powerschool.com/
January 9, 2025: PowerSchool
PowerSchool, the vendor providing IMSA’s Student Information System, announced this week that they experienced a nationwide data breach. IMSA was one of many schools affected by this breach.
On December 22, 2024, an unauthorized individual gained administrative access to our PowerSchool SIS through a vulnerability in PowerSchool’s support portal. This vulnerability, a maintenance access feature intended for authorized PowerSchool support staff, was exploited to access data. This vulnerability impacted numerous schools using PowerSchool, both those hosted by PowerSchool and those hosted locally. PowerSchool first notified us of the incident on January 7, 2025. Two separate queries were run against the PowerSchool database, resulting in the potential export of the following data:
Student Data (9,921 records): This included data for currently active students, alumni, and applicants (including waitlisted, declined, and deleted applications). The data potentially accessed encompassed 150 data fields, including:
-
- Personal Identifiers: First, middle, and last names, IMSA student number, IMSA login ID/username.
- Demographic Information: Gender, date of birth, race and ethnicity.
- Academic Information: IMSA grade year (class of), exit status (graduated, withdrawn).
- Contact Information: Home address, home phone number, parent/guardian email addresses.
- Other Information: Lunch status (free/reduced), parent web ID and encrypted password, medical “alert” summary (e.g., inhaler use,
allergies), parent alert summary (parent access restrictions), other “alert” summary (e.g., checkout restrictions, Ed Plan status), and doctor name and phone number (rarely used).
Staff Data (1,494 records): This included data for currently active and former staff members since 2006. The data potentially accessed encompassed 97 data fields, including:
-
- Personal Identifiers: First, middle, and last names, IMSA login ID/username, staff/teacher number.
- Contact Information: IMSA email address.
- Professional Information: Title, active/inactive status.
Our Response and Due Diligence:
Upon learning of the breach, we immediately began working with PowerSchool to understand the scope and impact of the incident. We have also undertaken the following steps:
-
- Collaboration with PowerSchool- We are actively collaborating with PowerSchool as they investigate the vulnerability and implement necessary security enhancements. We are demanding full transparency and accountability from PowerSchool regarding this incident.
- Internal Review- We have initiated a comprehensive internal review of our data security policies and procedures to identify areas for improvement. Although the breach stemmed from a third-party vulnerability, we are committed to strengthening our overall security posture.
- Notification and Support- We are notifying all affected individuals and providing resources and support to address any concerns.
Enhanced Security Measures (Post-Incident): We are evaluating additional security measures for our data systems, including but not limited to: multi-factor authentication, enhanced logging and monitoring, and more frequent security audits.
PowerSchool’s Role and Responsibility:
It is crucial to emphasize that the intrusion exploited a vulnerability within PowerSchool’s own systems, specifically a maintenance access feature within their support portal. This vulnerability was not under our direct control. We are holding PowerSchool accountable for this security lapse and are working with them to ensure that they take all necessary steps to prevent future incidents.
What You Can Do:
We recommend that all affected individuals take the following precautions:
-
- Remain vigilant- Be cautious of any unsolicited emails, phone calls, or text messages that request personal information.
- Monitor your accounts- Regularly review your financial accounts and credit reports for any unauthorized activity.
Ongoing Communication:
We understand that you may have questions and concerns. We sincerely apologize for any concern or inconvenience this incident may cause. We are committed to protecting the privacy and security of your information and are taking all necessary steps to address this situation.
In the interest of providing more information, here is a selection of articles about the incident:
In order to provide support, we recommend that you review the Federal Trade Commission Consumer Advice on what to do after a data breach.
If you have any questions, please reach out to Rich Busby, IMSA’s Privacy Officer, at rbusby@imsa.edu.
