A cyberattack that exposed over 134K RCSD student records discussed by an expert

Rochester, New York – After a cyberattack that affected schools across the country, Jonathan S. Weissman, a lead lecturer at the Rochester Institute of Technology’s cybersecurity department, urged proactive measures.

Over 130,000 children in the Rochester City School District had their personal information compromised by the incident.

Sensitive data, including names, home addresses, phone numbers, and medical records, were made public by the hack.

According to reports, RCSD’s online student administration system, PowerSchool, was the source of the data hack.

“A PowerSchool employee’s credentials were compromised, and as a result, the cybercriminals were able to access that account and gain access to the treasure trove of information from faculty, students, and staff,” Weissman stated.

The Rochester Teachers Association president, Adam Urbanski, called the episode regrettable.

“There’s a lot that is not within their capacity to do, but they have hired agencies and services that can provide that capacity and are doing it for them,” Urbanski stated.

Weissman cautioned that the consequences could not be immediately noticeable, even though PowerSchool has declared that it is not aware of any identity theft as a result of the incident.

“Without hesitation, every parent out there should freeze their children’s credit,” Weissman stated. “When a cyber-criminal steals the identity of a child, it can go undetected for really long periods and will affect them much later in life.”

Urbanski confirmed that every precaution is being taken, despite the fact that the breach has caused significant anxiety.

“There is a lot of concern out there about this breach of information, and understandably so, but all that can be done is being done,” Urbanski stated.

Additionally, Weissman advised businesses to use multi-factor authentication and to be on the lookout for social engineering scams.

“We also need to be on guard for social engineering attacks, where the cybercriminals use the information they got to get more information from you and perform more attacks,” Weissman stated.

In addition to providing information for individuals who should get in touch with the three main credit bureaus—Equifax, Experian, and TransUnion—to request a security freeze or fraud alert, PowerSchool intends to notify people affected in the upcoming weeks.

The initial announcement from the district on the data breach:

Rochester City School District Families and Staff,
We want to inform you about a cybersecurity incident involving PowerSchool, the District’s student management system, which was reported earlier this month. This incident involved unauthorized access to information through a compromised credential on one of PowerSchool’s customer support portals. It affects thousands of districts across the United States and Canada.
PowerSchool has confirmed that unauthorized access occurred on their PowerSource support portal, exposing user data. PowerSchool is actively working with law enforcement and cybersecurity experts to investigate the situation and will continue to share updates as they are available. As soon as PowerSchool learned of the incident, they engaged in cybersecurity response protocols and mobilized a team of cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse.
PowerSchool has indicated that they are not aware of any identity theft attributable to this incident. Through discussions with PowerSchool leadership, it was made clear there was no additional action RCSD could have taken to prevent the breach. PowerSchool said the incident was an attack on the company, not any particular school system.
Starting in the next few weeks, in collaboration with Experian, PowerSchool will provide notice to students (or their parents/guardians, if the student is under 18) and staff whose information was involved and a phone number to answer any questions you may have about the incident. The notice will include the identity protection and credit monitoring services offered, as applicable.
PowerSchool has posted a public statement and a community-facing FAQ document on its website. These resources will be updated regularly to help school communities understand the extent of the incident and its implications.
Our technology team has identified the specific RCSD information that may have been accessed:
Approximately 134,000 student records, including First Name, Last Name, Date of Birth (DOB), Home Address, email address, all phone numbers, and emergency contacts (name, phone number, address, email). In addition, legal alerts may have been accessed; and medical diagnoses and conditions, including alerts for allergies, diabetes, asthma, etc., and the doctor’s name and phone number may also have been accessed.
Staff information, including First Name, Last Name, assigned school, email address, and New York State TEACH ID number.
In the meantime, I encourage you to visit https://www.powerschool.com/security/sis-incident/ for up-to-date information on the cybersecurity incident. We are committed to keeping our community informed and will provide updates as we learn more. Thank you for your understanding and support as we address this matter.
Sincerely,
Dr. Terri Orden
Executive Director of Accountability and Program Efficiencies
RCSD Data Privacy Officer