Dear Charlottesville City Schools staff and families:
PowerSchool – the company that maintains our “student information system” – recently experienced a data breach. Data for current (and in some cases, former) students and staff was exported. Charlottesville City Schools was one of many impacted school divisions. Our staff has attended a PowerSchool information session about this incident, and PowerSchool believes they have successfully contained the situation so that the exported information will not be further shared or posted.
While much of the Charlottesville data that was downloaded is considered public “directory information,” we take this violation seriously, especially since it did contain several more protected data fields (school-issued student ID numbers, student meal PINs, and state testing ID numbers; find a full list of data fields, below). The data in the file gives no further access to programs or software containing sensitive private information (such as academic, personnel, or financial records). Even so, we are actively working with PowerSchool, the Virginia Fusion Center, and the Virginia Department of Education to investigate, and we will follow all recommendations. Again, PowerSchool believes that they have stopped the data from being shared. Read below to learn more.
Royal A. Gurley, Jr., Ed.D.
Superintendent
Learn more about the PowerSchool Cybersecurity Incident
On January 8, 2025, PowerSchool notified our IT Department that Charlottesville City Schools was among PowerSchool’s many worldwide clients whose data was accessed during a cybersecurity incident. Our staff attended a PowerSchool debrief about the data breach and PowerSchool’s work to resolve the situation.
What happened?
According to PowerSchool, someone used a compromised PowerSchool Support Technician credential to access and export data stored in the Student Information System (SIS). When PowerSchool became aware of the incident on December 28, 2024, they notified law enforcement, locked down the system, and engaged the services of CrowdStrike (a cybersecurity company that develops software to help companies detect and prevent cyberattacks) and Cyber Steward (a professional advisor with experience in negotiating with threat actors). PowerSchool believes their actions led to the deletion of the exported data so that it cannot be further disseminated or posted online.
What did PowerSchool do to address and contain this issue?
PowerSchool states that they have received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination. We have a video confirming deletion and are actively searching the dark web to confirm.”
What data was accessed in the Charlottesville City Schools Student Information System?
Different school systems had different data accessed. In Charlottesville, we have confirmed that the data export does NOT contain any information relating to academic, health, discipline, personnel, or financial records. No social security numbers were stored or accessed for either staff or students. In addition, in Charlottesville, the data in the posted file gives no further access to programs or software containing sensitive private information.
The Cville Schools IT team has confirmed that the following were accessed for current (and in some cases former) students and staff:
What is PowerSchool doing next?
PowerSchool has stated that the incident is contained, and they have no evidence of malware or continued unauthorized activity in the PowerSchool environment. They are not experiencing any operational disruption and they continue to provide services as normal to school districts.
PowerSchool has stated, “While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.”
What is Charlottesville City Schools doing next?
While PowerSchool is solely responsible for this incident and its impact, Charlottesville City Schools is committed to protecting our student, staff, and family data. In addition to following PowerSchool’s updates and guidance closely, we have also reached out to the Virginia Fusion Center’s Cyber Intelligence Team as well as the Virginia Department of Education. We will follow their guidance closely and will share further updates that impact students, staff, or families.
Additional settings for Safari Browser.
