What parents need to know about the PowerSchool hack at San Diego Unified
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Brendan Lynch/Axios
Sensitive data belonging to an unknown number of San Diego Unified students was stolen in a recent breach of a major education technology provider.
Why it matters: Kids aren't immune to identity theft, and an increasing number of them are encountering identity fraud before turning 18, according to recent surveys.
Driving the news: Last week, San Diego Unified notified families of its roughly 100,000 students about a data breach at PowerSchool, an education technology company that works with 75% of all K-12 school districts in the U.S.
The latest: On Friday, the district said the stolen data primarily includes contact information like names, addresses, and phone numbers, but student social security numbers and medical condition alerts (asthma, food allergies, glasses, etc.) may also have been compromised.
- PowerSchool plans to notify and support families of affected students in the coming days, including with credit monitoring and identity protection services.
Threat level: PowerSchool has said the threat was contained and the stolen data was deleted as it paid money to prevent the hackers from sharing it, BleepingComputer reported.
Reality check: That's not a guarantee, and once hackers have stolen someone's data, there are only a few options for people.
Pro tips: Parents are advised to check if their children already have a credit report and contact the respective firm with findings, per advice from reputable privacy blog DataBreaches.net. (You might have to do this by mail.)
- The Consumer Financial Protection Bureau has resources to help navigate the process.
- Parents can also place a fraud alert on their child's name by contacting each of the three major credit bureaus and informing them that their child may be at risk of identity theft.
- Affected individuals should also reset any passwords that may have been compromised in the breach.
By the numbers: One in 8 U.S. children has experienced a compromise of their identity as part of a data breach in the past six years, according to a report released last month by research firm Javelin.
- One in 43 U.S. children have had their personally identifiable information stolen in a breach in the last year, the report also found.
Flashback: In 2023, San Diego Unified faced a cybersecurity incident with employees' personal data, including Social Security numbers, bank and medical information.
- Another major data breach in 2018 affected as many as 500,000 district students, parents and staff.
The big picture: Hacking a school district isn't tough.
- Many districts don't have the budget for major IT upgrades or to hire a robust security team.
- Hybrid learning has also resulted in more districts putting sensitive student information in the hands of third-party edtech providers.
What they're saying: "The incident should serve as a clarion call for school districts to re-evaluate the security practices they have in place for remote vendor access to their systems," Doug Levin, national director of the K-12 Security Information eXchange, told Axios in an email.
- "At present, the third-party risk management practices of most school systems are immature — and much work is warranted before, during, and after procurement."
What we're watching: Each compromised school district was impacted in different ways, and PowerSchool hasn't said much about how many students' information was at risk.