The San Diego Unified School District (SDUSD) released the following notification to parents and guardians on Wednesday, January 8, 2025:
"Dear San Diego Unified Families,Out of an abundance of caution and as part of our ongoing commitment towards transparency, we are reaching out to let you know about a cyber security incident. We learned on Tuesday, January 7, 2025 via email that PowerSchool, a global student information system provider used by our school district and many others across the country, was the target of a cybersecurity incident discovered on Saturday, December 28, 2024. We have been informed that some student data from our district and other districts was downloaded by an unauthorized user, and an analysis is being done by PowerSchool on the type of information accessed.PowerSchool has told us the situation has been contained, and they have taken actions to prevent the information from being used. We have reinforced to this vendor our expectations about upholding the highest data security standards. If there are any important updates, we will notify you."
This incident follows two significant cybersecurity breaches in the past. In 2018, SDUSD discovered a large-scale breach involving personal information of over 500,000 current and former students, as well as staff. The breach, attributed to phishing emails, exposed sensitive data such as Social Security numbers, birthdates, addresses, and health records. District officials confirmed that unauthorized individuals had gained access to and altered internal systems for nearly a year. The district urged affected individuals to monitor their credit and offered guidance on how to report suspicious activity. At the time, SDUSD pledged to implement stronger cybersecurity measures to prevent future incidents.
Four years later, the district faced another breach, this time affecting employees and potentially some students. Hackers accessed and stole data, including Social Security numbers, health plan information, and direct deposit details. Cybersecurity experts speculated this attack could have been an extortion attempt or intended to sell the stolen data on the dark web. In response, SDUSD updated its protocols and offered identity monitoring services to victims. However, the breach raised further concerns about the district’s cybersecurity preparedness.
While the scope of the most recent breach involving PowerSchool is still under investigation, it adds to a troubling pattern of cybersecurity vulnerabilities within the district. These repeated incidents highlight the challenges educational institutions face in safeguarding sensitive data against increasingly sophisticated cyberattacks.
SDUSD’s reliance on third-party systems like PowerSchool raises additional concerns about the accountability and security standards of external vendors handling student information.
Parents and guardians affected by this latest breach are encouraged to monitor their children’s records and remain vigilant for potential identity theft.
For more information, visit sandiegounified.org or contact the district directly.
Originally published on January 8, 2025.