Software Provider Used In Some Oklahoma Schools Target Of Cybersecurity Attack

A third-party vendor used by several schools in Oklahoma is investigating a data breach.

PowerSchool is a software provider used in schools for managing grades, attendance, and scheduling throughout the school day.

Tulsa, Owasso, and Mid-Del schools all use the software, the districts confirmed. Only Mid-Del School was impacted at the technology center.

The company said someone hacked into the Student Information System through one of its customer portals on Dec. 28, 2024.

PowerSchool said none of its services have been disrupted and it does not believe anything else was affected, but the investigation is still ongoing.

Response From Mid-Del Schools:

"Mid-Del does use PowerSchool. However, only our Mid-Del Technology Center was affected. As soon as we were notified, we messaged our Mid-Del Technology families and staff and posted the message linked below on January 8, 2025."

Response From Putnam City Schools:

"We host our own servers in our own data center, preventing incidents like this from impacting our students, families, and staff."

Response From Tulsa Public Schools:

"PowerSchool is used by schools, including Tulsa Public Schools, to manage student records, grades, attendance, and enrollment, among other things. This breach, which PowerSchool reports occurred at the end of December, does not impact Tulsa Public Schools, our data, or our student information. We have received the following confirmation of the security of our data from PowerSchool:

While this incident affected certain PowerSchool Student Information System customers, our thorough forensic investigation has confirmed that your organization’s data was not impacted. 

We continue to monitor our infrastructure closely and believe the security of our data and student information is of the utmost importance."

Response From Mustang Schools:

Mustang Public Schools (MPS) has been informed of a cybersecurity incident involving PowerSchool, the district’s student information system provider. According to PowerSchool, an unauthorized party accessed their PowerSource portal, which allowed access to specific data from school districts across the country, including Mustang Public Schools.

What Happened: On December 28, 2024, PowerSchool identified unauthorized access to its PowerSource portal using a compromised credential. The breach affected data from student and staff tables, including, for Mustang, records dating back to 2009. Importantly, PowerSchool has confirmed that this breach did not impact any other systems or services used by the district.

What Data Was Affected: The affected data accessed includes:

1. For Staff: Limited personal information such as names, addresses, work contact information, and, in 15 cases, Social Security numbers.
2. For Students: Information, including names/addresses (including parent/guardian), DOB, grade levels, phone numbers, ethnicity, student alerts (if present), state student ID numbers, and emergency contacts.

Passwords were not included in the compromised data, and current District systems remain secure.

Our Response: Mustang Public Schools is working closely with PowerSchool, third-party cybersecurity experts, and law enforcement to address this issue. PowerSchool has taken steps to contain the breach, including deactivating the compromised credentials, enhancing security protocols, and monitoring for potential misuse of data.

What You Can Do: While PowerSchool has indicated that the data is not expected to be shared or made public, Mustang Public Schools encourages families and staff to remain vigilant by monitoring for unusual activity related to personal information. We are working with PowerSchool to ensure that all affected individuals have the resources they need to safeguard their information.

Looking Ahead: “We understand how concerning this situation is for our families and staff,” said Charles Bradley, Superintendent of Mustang Public Schools. “While this incident occurred outside of our systems, we are taking every step to ensure our community is informed and supported as we navigate this challenge together.”

Response From Yukon Schools:

We are aware of the recent data security incident involving PowerSchool, our cloud-based student information system provider, across hundreds of school districts in the United States and Canada. We understand that this news may be concerning to our families and staff, and we sincerely regret any inconvenience or concern it may cause.  

We want to assure our community that we are working closely with PowerSchool to address this incident and ensure the safety of our students' and staff's personal information. PowerSchool has informed us that they have taken all necessary steps to contain the incident and prevent any further unauthorized access or misuse of the data.   

Following the incident, our IT department conducted a thorough investigation and confirmed that due to our strict data protection policies, no sensitive information like Social Security numbers or medical records were compromised and the scope for Yukon PS appears to be primarily directory information. Employee, parent, and student login information were not part of this cybersecurity incident.

No further action is required from employees, parents, or students at this time. We are committed to protecting the privacy and security of our community's data and will continue to provide updates as more information becomes available from PowerSchool as they continue their investigation. 

News On 6/News 9 also reached out to other districts and we're awaiting responses.

This is a developing story. Refresh this page for updates.