Vail Unified County notifies families of software breach

TUCSON, Arizona (13 News) – Security Breach of Major Software Provider for Schools Across America has included a number of southern Arizona school districts on its list of possible targets.

But what, if anything, worried them remains unknown.

Parents were notified by the Vale Unified District on Friday.

As of that afternoon, some were concerned at the mention of any breach of their children’s information, while others said it was too early to worry.

“There’s no reason to panic, is there? It’s just that sometimes it happens with big corporations, so right now we’re just trying to confirm what happened if they even try to use that information or the information that they got. That’s what it comes down to,” Shai Otero said as he picked up his son from Acacia Elementary School.

Otero said he read an email from the district notifying parents that PowerSchool, which is used by thousands of K-12 districts across the country, had allowed an unauthorized party to access customer data.

“I kind of understand what they can and can’t be used for, right? We see things going overseas all the time, I’m in the military so I understand the process of what can actually happen, so again, there’s no reason to panic until we know what they actually took,” Otero said.

The district told parents in an email that while names, birthdays, addresses and possibly basic medical information such as doctors’ names could have been accessed, what was not compromised and that the district does not collect or stores in PowerSchool include social security numbers, financial data, and passwords.

Otero said that if anything is done with the information, it remains to be seen whether someone, such as a hacker, was just trying to prove a point.

“There’s something wrong with the software they’re using, so in that aspect they’re just trying to figure out, ‘Hey, I broke your software, you can fix it,'” Otero explained.

At least seven southern Arizona counties use PowerSchool, including Vail, Sunnyside, Benson, Flowing Wells, Sahuarita, Ajo and the Unified Technology Education District.

J-TED confirmed to 13 News that it does use the PowerSchools platform, but said the company told them that was not the case.

It is not known how it will affect other districts.

“Understanding exactly what happened and what happened is the most important thing, other than just panicking and going crazy over nothing,” he said.

Vail’s email said PowerSchool is cooperating with the FBI and that the breach is specific to PowerSchool and does not affect other district systems.

Read the full message here:

Dear Vale families,

We are writing to inform you of a cyber security breach affecting PowerSchool, the company that provides our Student Information System (SIS).

PowerSchool is the largest provider of K12 education software in the US, serving over 16,000 districts/schools and approximately 50 million students worldwide. A large number of their customers were affected by this breach, including the Vail School District.

According to PowerSchool, an unauthorized party used compromised credentials to gain access to some customer data. Additionally, the company said the breach has been contained and there is no evidence of malware or ongoing unauthorized access.

Data that may have been compromised includes directory and demographic information.

For students and families, this may include, but is not limited to, name, address, birthday, phone number, gender, grade level, student number, parent/guardian and emergency contact information (name, address, phone number and email address). Some basic medical information, such as doctor’s name, allergies, and IEP status (IEP not included), may have been shared with some students.

Data that wasn’t compromised (we don’t collect or store it at PowerSchool) includes social security numbers, financial information, and passwords.

PowerSchool has taken steps to prevent further unauthorized access or misuse of any compromised data. The company is working with the FBI and national cybersecurity firms, and they believe the data has been removed and will not be released.

It’s important to note that this breach is related to PowerSchool and did not affect our other systems in the district. In addition, PowerSchool has assured its customers that they have taken significant steps to ensure that such incidents do not happen again.

Vail School District uses a full suite of cybersecurity tools and software as part of our standard best practices. As soon as we became aware of the incident, our district technical team worked with PowerSchool, as well as with additional third-party cybersecurity experts, to conduct a thorough forensic investigation, verify what happened, and ensure that our systems remain secure.

The safety, privacy and well-being of our students, staff and families remain our highest priority. We are committed to transparency and will provide additional updates as needed. Please do not hesitate to contact us if you have any questions about the specifics of your student data.

Email [email protected] with your name and phone number and we will contact you to confirm and answer any questions you may have about this incident.

Be sure to subscribe to the 13 News YouTube channel: www.youtube.com/@13newskold