On Tuesday, January 7, 2025 West Grand School District was contacted by PowerSchool to inform us of a data breach that occurred in the PowerSchool student information system platform over the holiday break between December 19, 2024 and December 24, 2024. This data breach involved unauthorized access to, and the downloading of files containing both student and staff information from West Grand, and many other school districts across the US and Canada.

WGSD used PowerSchool from 2016 through the end of the 23-24 school year as our primary database to house student information. We have already switched our primary student information system to Alma and after our final PowerSchool contract expires in July of 2025, we will no longer be doing business with, or sharing any data with PowerSchool.

In this attack, a portion of data from the records of ALL students who attended WGSD from the 16-17 school year to the 23-24 school year were accessed. The information contained in those records consists primarily of directory information and legacy data fields that would not be considered valuable to bad actors. However, certain data fields were used to store student’s PII (Personally Identifiable Information) those data fields are:

• First Name

• Middle Name

• Last Name

• DOB

• Social Security Number

• Colorado State Student ID

• Physical and mailing addresses

• Emergency contact phone numbers

• Race and Ethnicity demographics

• Guardian email addresses

• Mother and Father first and last names

• Doctor Name

• Doctor Phone Number

• Medical Alert

• Guardian Alert

• Free and Reduced Lunch Status

We have been assured by PowerSchool that the breach is contained and that there is no ongoing threat. They claim that the compromised data has already been deleted and will not be used or made public. At this time, there is no evidence that our data has been misused or exposed publicly following this attack, but we encourage parents, alumni and staff members to take extra steps to protect themselves and their information.

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report for yourself or your student if they are still under the age of 18, visit www.annualcreditreport.com or call toll-free 1-877-322-8228

Both adults and legal guardians of students under the age of 18 have the right to place an initial or extended “fraud alert” on their credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take additional steps to verify the consumer’s identity before extending new credit.

An alternative to a fraud alert, is a “credit freeze” which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent any and all credit, loans, and services from being approved in a consumer’s name until the freeze is lifted. Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.

Minors under the age of 18 do not typically have credit reports. If you wish to place a fraud alert or credit freeze on behalf of your student, a credit report will be created for them and then frozen or placed under a fraud alert.If you wish to request a free credit report, a free credit fraud alert or a free credit freeze for yourself or your student, you can do so by contacting any of the three major credit reporting bureaus listed below.

Equifax

• https://www.equifax.com/personal/credit-report-services/

• 1-888-298-0045

• Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069

• Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788

Experian

• https://www.experian.com/help/

• 1-888-397-3742

• Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013

• Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013

TransUnion

• https://www.transunion.com/credit-help
• 1-800-916-8800
• TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016
• TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094

Consumers may further educate themselves regarding identity theft, fraud alerts, credit freezes, and the steps they can take to protect your personal information by contacting the consumer reporting bureaus listed above, the Federal Trade Commission, or the Colorado State Attorney General. 

The Federal Trade Commission may be reached at:

• www.identitytheft.gov

• 1-877-ID-THEFT (1-877-438-4338)

• TTY: 1-866-653-4261

• 600 Pennsylvania Avenue NW, Washington, D.C. 20580

The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Consumers can obtain further information on how to file such a complaint by way of the contact information listed above. Consumers have the right to file a police report if they ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, consumers will likely need to provide some proof that they have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and the relevant state Attorney General.

PowerSchool is also required by law to provide additional free credit monitoring services to affected adults, and identity protection services to affected minors. At this time, we do not know which identity protection company will be providing these services. When more information about enrollment for these services become available, it will be shared on the district website and via Parentsquare post.

Students and staff members who joined West Grand during the current 24-25 school year have not been affected by this attack. None of our data was lost, damaged, or changed. We did not store any copies of personal or legal documents (ie. birth certificates, court documents, forms of photo identification) in PowerSchool. Other than what was mentioned above, no other student data stored in PowerSchool was accessed. Medical records, disciplinary records, individual student plans, grade and transcript data and Colorado state specific demographic information are stored in separate data tables that were not accessed by the attackers.

Other district programs that store and use student information have not been affected in any way by this incident. The student data stored in Alma, Etrition and Arbiter Sports is still completely secure, and these programs are safe to use.

This attack was carried out by threat actors who gained access to PowerSchool through the company directly and was not a breach of any WGSD systems or cybersecurity infrastructure. No school managed networks, devices or accounts were involved or used in this attack. 

As we receive more information from PowerSchool, we will be sharing that information.

PowerSchool FAQs about the incident are posted at: https://www.powerschool.com/security/sis-incident/

Reach out to PowerSchool at: https://www.powerschool.com/company/contact/

West Grand School District will be hosting a public meeting where this incident will be discussed and open to public comment on Tuesday, January 28th at 6:30pm in accordance with HB 2016-1423. 

The Tech Department will do their best to answer any questions, but please understand that the intention of this announcement is to clearly disclose all of the information that we have about this incident so far. Any new information that is made available to us will be made public immediately, or will be communicated directly to those who are impacted if the new information falls under FERPA or other state and federal confidentiality laws.

If your questions for the tech department concern your personal information, or the personal information of your student that is stored and managed by the District Student Information System, our confidentiality policies will still apply, and you may be asked additional questions to verify your identity or your legal guardianship of the student before specific information can be shared with you.