PowerSchool Cybersecurity Information

From PowerSchool (7/1/2025):

PowerSchool Data Security Incident

The privacy and security of the personal information we maintain is of the utmost importance to Mustang Public Schools. Mustang Public Schools has been monitoring a recent cybersecurity incident that impacted PowerSchool, a company that provides Mustang Public Schools with student information management software.

On December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of certain personal information from PowerSchool Student Information System (SIS) environments through one of PowerSchool’s community-focused customer support portals, PowerSource.

Upon learning of the incident, Mustang Public Schools promptly inquired with PowerSchool to learn what occurred and to identify what information pertaining to Mustang Public Schools was impacted. Despite our attempts to understand the scope of impact, PowerSchool was unable to confirm the exact information that was impacted at the time of the incident. Based on PowerSchool’s representations and communications about the incident, Mustang Public Schools understands that the impacted information related to Mustang Public Schools’s community may have contained personal information of certain individuals, including one or more of the following: name and/or Social Security number.

We understand that on or about January 29, 2025, PowerSchool began sending notifications via email directly to certain impacted individuals and families to notify them of the incident. It is anticipated that these incident notification emails from PowerSchool will be sent to affected individuals and families on a rolling basis over a period of weeks.

PowerSchool is offering two years of complimentary identity protection services to students and educators whose information was involved. For adult students and educators, this offer will also include two years of complimentary credit monitoring services. If you are interested in enrolling, please see PowerSchool’s provided instructions below:

Option 1 from PowerSchool: If the Involved Individual is 18 or Over

• Ensure that you enroll by July 31, 2025 (Your code will not work after this date at 5:59 UTC)
• Visit the Experian IdentityWorks website to enroll: www.experianidworks.com/plus
• Provide your activation code: CTYU949PRK
• For over the phone assistance with enrollment or questions about the product, please contact Experian’s customer care team at 833-918-9464
• Be prepared to provide engagement number: B138812

Details Regarding the Experian IdentityWorks Credit Plus Membership

A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:

• Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only. Offline members will be eligible to call for additional reports quarterly after enrolling.
• Credit Monitoring: Actively monitors Experian file for indicators of fraud.
• Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web.
• Identity Restoration: Identity Restoration agents are immediately available to help you address credit and non-credit related fraud.
• Experian IdentityWorks ExtendCARE^TM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
• $1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers. The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Option 2 from PowerSchool: If the Involved Individual is Under 18

• Ensure that you enroll by July 31, 2025 (Your code will not work after this date at 5:59 UTC)
• Visit the Experian IdentityWorks website to enroll: www.experianidworks.com/minorplus
• Provide your activation code: CEBP456TRK
• For over the phone assistance with enrollment or questions about the product, please contact Experian’s customer care team at 833-918-9464.
• Be prepared to provide engagement number: B138813

Details Regarding the Experian IdentityWorks Credit Plus Membership

A credit card is not required for enrollment in Experian IdentityWorks. You can contact Experian immediately regarding any fraud issues, and have access to the following features once enrolled:

• Social Security Number Trace: Monitoring to determine whether enrolled minors in your household have an Experian credit report. Alerts of all names, aliases and addresses that become associated with your minor’s Social Security Number (SSN) on the Experian credit report.
• Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web.
• Identity Restoration: Identity Restoration agents are immediately available to help you address credit and non-credit related fraud.
• Experian IdentityWorks ExtendCARE^TM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
• $1 Million Identity Theft Insurance: Provides coverage for certain costs and unauthorized electronic fund transfers. The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

We encourage impacted individuals to take actions to help protect their personal information. These actions include enrolling in the credit monitoring services described, placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report. Additionally, individuals should always remain vigilant in reviewing their financial account statements, explanation of benefits statements and credit reports for fraudulent or irregular activity on a regular basis and report any suspicious activity to the proper authorities.

PowerSchool has set up a dedicated response line for this incident. Concerned individuals may contact PowerSchool’s response line directly at (833) 918-9464, available Monday through Friday, 8:00 a.m. to 8:00 p.m. Central Time.  PowerSchool has published additional information on its website, which is available at: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.

We acknowledge this may be concerning news. As always, our number one priority is to ensure the safety and security of our students, staff and community. We have taken this matter very seriously and will continue to take significant measures to protect the personal information in our possession. 

– OTHER IMPORTANT INFORMATION –

1.         Placing a Fraud Alert.

We recommend that you place a one-year “Fraud Alert” on your credit files, at no charge.  A fraud alert tells creditors to contact you personally before they open any new accounts.  To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below.  As soon as one credit bureau confirms your fraud alert, they will notify the others. 

Equifax P.O. Box 105069 Atlanta, GA 30348-5069 www.equifax.com/personal/credit-report-services/credit-fraud-alerts/ (888) 378-4329; (800) 525-6285

Experian P.O. Box 9554 Allen, TX 75013 www.experian.com/fraud/ center.html (888) 397-3742

TransUnion Fraud Victim Assistance Department P.O. Box 2000 Chester, PA 19016 www.transunion.com/fraud-alerts (800) 916-8800; 800-680-7289

2.         Consider Placing a Security Freeze on Your Credit File.

If you are very concerned about becoming a victim of fraud or identity theft, you may request a “Security Freeze” be placed on your credit file at no cost.  A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by sending a request in writing, by mail, to all three nationwide credit reporting companies.  To find out more on how to place a security freeze, you can use the following contact information:

Equifax Security Freeze P.O. Box 105788 Atlanta, GA 30348-5788 www.equifax.com/personal/credit-report-services/credit-freeze/ (888) 298-0045; (800) 685-1111

Experian Security Freeze P.O. Box 9554 Allen, TX 75013 www.experian.com/freeze/ center.html (888) 397-3742

TransUnion Security Freeze P.O. Box 160 Woodlyn, PA 19094 www.transunion.com/credit-freeze (800) 916-8800; (888) 909-8872

In order to place the security freeze, you will need to supply your name, address, date of birth, Social Security number and other personal information such as copy of a government issued identification.  After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password.  Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze. If you do place a security freeze prior to enrolling in a credit monitoring service, you will need to remove the freeze in order to sign up for the credit monitoring service. After you sign up for the credit monitoring service, you may refreeze your credit file.

3.         Obtaining a Free Credit Report.

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com.  Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize.  Verify all information is correct.  If you have questions or notice incorrect information, contact the credit reporting company.

4.         Protecting Your Medical Information.

If this notice letter indicates that your medical information was impacted, we have no information to date indicating that your medical information involved in this incident was or will be used for any unintended purposes. As a general matter, however, the following practices can help to protect you from medical identity theft.

• Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
• Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
• Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.

5.         Additional Helpful Resources.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically.  Checking your credit report periodically can help you spot problems and address them quickly. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report.  Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts.  You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.  Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations.  In addition, you may obtain information from the FTC about fraud alerts and security freezes.

---

Maryland Residents: You may obtain information about avoiding identity theft from the Maryland Attorney General’s Office: Office of the Attorney General of Maryland, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.marylandattorneygeneral.gov, Telephone: 888-743-0023.

Massachusetts Residents: Under Massachusetts law, you have the right to obtain a police report in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

New Mexico residents: You have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit. In addition, you have the right to obtain a security freeze (as explained above) or submit a declaration of removal. You have a right to bring a civil action against a consumer reporting agency that violates your rights under the Fair Credit Reporting and Identity Security Act. For more information about the FCRA, please visit www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.

New York Residents: You may obtain information about preventing identity theft from the New York Attorney General’s Office: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; ag.ny.gov/consumer-frauds-bureau/identity-theft; Telephone: 800-771-7755.

North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, Telephone: 877-566-7226 (Toll-free within North Carolina), 919-716-6000.

Oregon Residents: You may obtain information about preventing identity theft from the Oregon Attorney General’s Office: Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, www.doj.state.or.us, Telephone: 877-877-9392.

Washington D.C. Residents: You may obtain information about preventing identity theft from the Office of the Attorney General for the District of Columbia, 400 6th Street NW, Washington D.C. 20001, oag.dc.gov/consumer-protection, Telephone: 202-442-9828.

3/12/2024 

On January 7th, we shared that PowerSchool was the target of a cybersecurity incident that resulted in the exfiltration of data from the Students and Teachers tables for some PowerSchool SIS customers by an unauthorized user. We immediately took corrective measures necessary to contain the incident, began notifying relevant regulatory agencies on your behalf (where applicable) as well as students and educators whose data was involved, and provided credit and identity monitoring services to the individuals students and educators.

Today we are sharing closing updates on:

1. The final CrowdStrike Incident Report, which did not identify any new or concerning findings beyond what we have shared;
2. Our ongoing engagement with regulators in the United States and Canada;
3. The identity monitoring (and credit monitoring, as applicable) that PowerSchool continues to make available to all individuals involved, and
4. How PowerSchool has and will continue to strengthen our cybersecurity defenses as we connect the education community with the shared goal of helping students thrive through personalized education.

CrowdStrike Incident Report

Immediately after PowerSchool became aware of the incident, CrowdStrike was engaged to conduct an investigation into the incident. We made available a CrowdStrike interim fact sheet in mid-January, and with the investigation complete, are now sharing the final incident report.

CrowdStrike did not identify any new or concerning findings beyond what we already shared in the interim fact sheet. The report confirms:

• The Threat Actor accessed PowerSource, a community-focused customer support portal, using a single compromised credential.
• The Threat Actor’s activities were limited to exfiltration of select PowerSchool SIS instances of Students and Teachers tables.
• CrowdStrike’s Recon+ Intelligence service has not identified any evidence of this exfiltrated information available for sale or download.
• CrowdStrike found no evidence of system-layer access or malware associated with this incident.
• CrowdStrike found no other PowerSchool products were compromised.
• While the PowerSource environment experienced unauthorized activity prior to December, PowerSchool believes that the data exfiltration occurred in late December.

In addition to sharing here, we are posting CrowdStrike’s final incident report on our website and sharing it with regulators in the United States and Canada where appropriate. We encourage you to share this report with any stakeholders that you deem appropriate.

Regulator Notifications – United States & Canada

As we shared on January 27th and February 4th, PowerSchool filed notifications with applicable regulators across U.S. and Canadian jurisdictions (respectively) on behalf of impacted customers who did not opt out of our offer to do so. Our dialogue with regulators is ongoing. We plan to share the final CrowdStrike incident report and additional relevant details from our on-premise customers who opted to share their information with us.

Identity & Credit Monitoring Notifications

On January 17th, we announced that PowerSchool secured two years of complimentary identity protection for all students and educators involved where such services are available through Experian, regardless of whether an individual’s social security number was exfiltrated. We also made available two years of credit monitoring for involved students and educators in the United States and Canada who are eligible for credit monitoring services. To further support your communities with these resources, please note:

• Experian, our identity protection services provider, has sent email notifications on PowerSchool’s behalf (except those customer who opted out) to both current and former families and educators whose information was involved, and for whom we have available contact information. These notifications will continue as we process on-premise customer information.
• These individual notices are sent from an Experian company, CSIdentity whose domain includes @csid. Please contact your CSM or Support team leader if you have any questions. Neither PowerSchool nor Experian will ever ask you for personal information via email.
• You can share information regarding the available monitoring services to your communities using the form letters provided to you by PowerSchool or the information provided on PowerSchool’s website.
• Information on how to enroll in identity and credit monitoring is posted on PowerSchool’s website (for the U.S. and Canada). We encourage you and your communities to take advantage of the monitoring being offered.
• PowerSchool has extended the sign-up deadline for Experian’s services from May 31, 2025, to July 31, 2025.

Security Improvements and Hardening Measures Introduced

As part of our commitment to continuously strengthen security across the K-12 ecosystem, PowerSchool has taken significant steps to enhance our cybersecurity posture. To-date we have:

• Required that 100% of PowerSchool employees and contractors utilize SSO, MFA, VPN, and VDI for any hardware or resource that accesses customer data – including PowerSource;
• Invested in physical security measures including fingerprint and facial recognition authentication for all PowerSchool employees and contractors;
• Implemented rigorous technical audits of all access to customer data to validate and reinforce our security framework, including shortening the time-windows for authorized maintenance to reduce the risk of improper access; and,
• Limited the number of SIS instances a single account can log into during a 24-hour period.

In addition, we have taken proactive measures to reinforce our unwavering commitment to safeguarding student and educator data, including:

• Establishing a new Customer Security Advisory Council, which will provide a forum for in-depth security reviews, industry collaboration, and best practice sharing.
• Developing a security rubric to help districts assess not only PowerSchool’s security commitment but also their own infrastructure and third-party systems.
• Continuing our long-standing security protocols, including adherence to global standards (such as ISO 27100), product-level governance (including SOC II audits), and monitoring via our Security Operations Center, which currently maintains 24x7x365 coverage against cybersecurity threats. You can learn more about our security process and policies here.

We hope this update can begin to bring closure to this incident; please reach out to your CSM or Support contact with any additional questions or concerns. We are grateful for your partnership over the last several weeks and look forward to all that we can accomplish as we move forward—together.

Sincerely,
Hardeep Gulati
Chief Executive Officer, PowerSchool

UPDATE from PowerSchool: 2/27/25

Notifications to potentially impacted students/parents and staff will soon be sent.

These notifications will come from Experian, using one of the following email addresses:

• Ps-sis-incident@mail.csid.com
• Ps-sis-incident@mail1.csid.com
• Ps-sis-incident@mail2.csid.com

PowerSchool provided regulatory notice of this incident on January 27th to governmental regulators in the United States and Canada, as applicable. PowerSchool's initial notification included data from our hosted customers only. Thus, with your added information, we will be augmenting our prior regulatory notifications in the coming weeks.

We cannot provide date and time estimates as to when these will be sent.

---

February 07, 2025 - Mustang Public Schools is actively monitoring a recent cybersecurity incident that impacted PowerSchool, a company that provides Mustang Public Schools with student information management software.

Specifically, we recently learned that on December 28, 2024, PowerSchool discovered that an unauthorized actor gained access to certain customer data, potentially including some information relating to Mustang Public Schools. At this time, broadly speaking, our understanding is that the elements of information involved in this incident generally may include the following: names, contact information, dates of birth, Social Security numbers, medical alert information, and other related information. Please note, Mustang Public Schools does not maintain Social Security numbers via the PowerSchool platform, therefore Mustang Public Schools has no evidence to indicate that Social Security numbers were involved for our community.

We understand that on or about January 29, 2025, PowerSchool began sending notifications via email directly to certain impacted individuals and families to notify them of the incident. It is anticipated that these incident notification emails from PowerSchool will be sent to affected individuals and families on a rolling basis in the coming days and weeks. As of January 29, 2025, PowerSchool has represented its investigation into the incident has not yet concluded. As such, our understanding of the scope of the incident is actively evolving and there remains a possibility that those families who have not yet received an email from PowerSchool may receive one in the future, along with further communication from Mustang Public Schools.

 While we await final findings from PowerSchool concerning the scope of the impact of this incident, it is important to remain diligent in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis.

PowerSchool is offering two years of complimentary identity protection services to students and educators whose information was involved. For adult students and educators, this offer will also include two years of complimentary credit monitoring services. If you are interested in enrolling, please sign up via one of the two following options:

Option 1 from PowerSchool: If the Involved Individual is 18 or Over

• Ensure that you enroll by May 30, 2025 (Your code will not work after this date at 5:59 UTC)
• Visit the Experian IdentityWorks website to enroll: http://www.experianidworks.com/plus
• Provide your activation code: CTYU949PRK
• For over the phone assistance with enrollment or questions about the product, please contact Experian’s customer care team at 833-918-9464
• Be prepared to provide engagement number: B138812
• Experian’s call center hours are Monday through Friday, 8:00am through 8:00pm Central Time (excluding major US holidays.)

Option 2 from PowerSchool: If the Involved Individual is Under 18

• Ensure that you enroll by May 30, 2025 (Your code will not work after this date at 5:59 UTC)
• Visit the Experian IdentityWorks website to enroll: Enroll Now
• Provide your activation code: CEBP456TRK
• For over the phone assistance with enrollment or questions about the product, please contact Experian’s customer care team at 833-918-9464
• Be prepared to provide engagement number: B138813

Further, PowerSchool has set up a dedicated response line for this incident. The response line is available Monday through Friday, 8:00 am to 8:00 pm Central Time.  You may contact PowerSchool’s response line directly at (833) 918-9464. Additionally, PowerSchool has published additional information on its website, which is available at:       
https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/ 

We acknowledge this may be concerning news. As always, our #1 priority is to ensure the safety and security of our students, staff and community. We will share further updates as relevant information becomes available.

- OTHER IMPORTANT INFORMATION -

1.     Placing a Fraud Alert on Your Credit File.

You may place an initial one-year “fraud alert” on your or your student’s credit files (if one exists), at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others. 

Equifax

P.O. Box 105069
Atlanta, GA 30348-5069
(800) 525-6285
https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/

Experian

P.O. Box 9554
Allen, TX 75013
(888) 397-3742
https://www.experian.com/fraud/center.html

TransUnion

Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19016-2000
(800) 680-7289
https://www.transunion.com/fraud-alerts

2.     Placing a Security Freeze on Your Credit File.

If you are very concerned about becoming a victim of fraud or identity theft, you may request a “security freeze” be placed on your or your student’s credit file, at no charge (to the extent one exists). A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

Equifax Security Freeze       

P.O. Box 105788
Atlanta, GA 30348  
https://www.equifax.com/personal/credit-report-services/credit-freeze/
(800) 349-9960
(888) 298-0045

Experian Security Freeze    

P.O. Box 9554
Allen, TX 75013
http://experian.com/freeze
(888) 397-3742

TransUnion Security Freeze

P.O. Box 160
Woodlyn, PA 19094
https://www.transunion.com/credit-freeze
(888) 909-8872

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

3.     Obtaining a Free Credit Report

Under federal law, you are entitled to one free credit report (to the extent one exists) every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

4.     Additional Helpful Resources.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

5.     Protecting Your Medical Information.

The following practices can provide additional safeguards to protect against medical identity theft:

• Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
• Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access to current date.
• Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.

 

NOTE: Updates on this topic will be organized into posts by month. Below is all of the information released in January 2025.  Please be sure to check for other updates on the News Section of the MPS Homepage.

UPDATE - 1/29/2025 (for older information - scroll down)

PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with these offerings and the incident. All the information regarding the activation of and access to these services will be included in the email sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate the offering from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.

---

UPDATE - 1/21/2025 (original information - scroll to bottom)
 

STAFF LETTER

MPS Staff,

As part of our commitment to keeping you informed about the recent cybersecurity incident involving PowerSchool, we are sharing additional updates we’ve received directly from PowerSchool. This follows our earlier communication regarding the unauthorized access to specific data within PowerSchool’s Student Information System (SIS).

PowerSchool has provided the following new information and next steps:

• Identity Protection and Credit Monitoring Services:
  PowerSchool has partnered with Experian, a well-known credit reporting agency, to offer two years of complimentary identity protection services to all educators whose information was involved. This will include credit monitoring for affected individuals. These services are being offered regardless of whether Social Security numbers were accessed.

• Individual Notifications:
  In collaboration with Experian, PowerSchool will soon begin notifying educators whose data was involved. The notification will include information about the identity protection and credit monitoring services and a phone number to answer any questions about the incident. Notifications are expected to begin within the next few weeks.

• Investigation Update:
  PowerSchool has assured us they have engaged third-party cybersecurity experts to investigate the incident. To date, PowerSchool has reported no evidence of identity theft attributable to this incident.

For the most up-to-date information, please visit PowerSchool’s Security Incident Website at https://www.powerschool.com/security/sis-incident/.

We recognize the frustration and concern this incident may cause, and we appreciate your patience and understanding as we work through this process. Protecting your information is a priority, and we will continue to share updates as we receive them.

Thank you for your continued commitment to the students and families of Mustang Public Schools.

FAMILY LETTER

Mustang Families,

As promised in our earlier communications, we are reaching out to share additional information regarding the cybersecurity incident involving PowerSchool, a software vendor that provides our Student Information System (SIS). PowerSchool recently provided updates about the next steps and resources for affected individuals.

Here’s what we’ve learned from PowerSchool:

• Identity Protection and Credit Monitoring Services:
  PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved in the incident. For adult students and educators, this includes two years of credit monitoring services.  These services are being offered regardless of whether Social Security numbers were accessed.

• Individual Notifications:
  In collaboration with Experian, PowerSchool will notify students (or their parents/guardians for those under 18) and educators whose information was involved. The notifications are expected to begin in the next few weeks and include instructions for enrolling in identity protection and credit monitoring services and a dedicated phone number for questions.

• Investigation Update:
  PowerSchool has reported that they have engaged third-party cybersecurity experts to investigate the scope of the incident. To date, PowerSchool is not aware of any identity theft attributable to this incident.

For the most up-to-date information, please visit PowerSchool’s Security Incident Website at https://www.powerschool.com/security/sis-incident/.

We understand that this incident may raise concerns, and we remain committed to supporting our families during this time. Thank you for your partnership and for trusting Mustang Public Schools to prioritize the safety and well-being of our students and community.

—---------------------------------------------------------------—

Mustang Public Schools Responds to PowerSchool Cybersecurity Incident

(Mustang, Oklahoma – January 13, 2025) – Mustang Public Schools (MPS) has been informed of a cybersecurity incident involving PowerSchool, the district’s student information system provider. According to PowerSchool, an unauthorized party accessed their PowerSource portal, which allowed access to specific data from school districts across the country, including Mustang Public Schools.

What Happened: On December 28, 2024, PowerSchool identified unauthorized access to its PowerSource portal using a compromised credential. The breach affected data from student and staff tables, including, for Mustang, records dating back to 2009. Importantly, PowerSchool has confirmed that this breach did not impact any other systems or services used by the district.

What Data Was Affected: The affected data accessed includes:

• For Staff: Limited personal information such as names, addresses, work contact information, and, in 15 cases, Social Security numbers.
• For Students: Information, including names/addresses (including parent/guardian), DOB, grade levels, phone numbers, ethnicity, student alerts (if present), state student ID numbers, and emergency contacts.

Passwords were not included in the compromised data, and current District systems remain secure.

Our Response: Mustang Public Schools is working closely with PowerSchool, third-party cybersecurity experts, and law enforcement to address this issue. PowerSchool has taken steps to contain the breach, including deactivating the compromised credentials, enhancing security protocols, and monitoring for potential misuse of data.

Additionally, Mustang Public Schools is committed to:

• Supporting affected individuals by connecting them with PowerSchool which has promised to provide resources such as credit monitoring and identity protection services where applicable.
• Keeping our families and staff informed with transparent and timely updates as more information becomes available.

What You Can Do: While PowerSchool has indicated that the data is not expected to be shared or made public, Mustang Public Schools encourages families and staff to remain vigilant by monitoring for unusual activity related to personal information. We are working with PowerSchool to ensure that all affected individuals have the resources they need to safeguard their information.

Looking Ahead: “We understand how concerning this situation is for our families and staff,” said Charles Bradley, Superintendent of Mustang Public Schools. “While this incident occurred outside of our systems, we are taking every step to ensure our community is informed and supported as we navigate this challenge together.”

For further updates, please visit https://www.powerschool.com/security/sis-incident/ or contact PowerSchool directly at 877-873-1550 or Security@PowerSchool.com.

###

Information For STAFF

Information for FAMILIES

About Mustang Public Schools
The Mustang Public School District covers over 72 square miles in Oklahoma and Canadian counties, with the City of Mustang at its center. The district is the largest employer in Canadian County, with more than 1,800 certified and support employees, and serves over 13,500 students. As one of Oklahoma’s Top Workplaces, the school district offers a comprehensive compensation package for full-time employees, in addition to a satisfying working environment. There are eight (soon to be 9) elementary schools (grades PreK-4), three intermediate centers (grades 5-6), three middle schools (grades 7-8), one high school (grades 9-12), and an educational center which houses pre-kindergarten and alternative education.
www.mustangps.org
Facebook/X(Twitter)/Bluesky - @MustangSchools
Instagram/Threads - @MustangPS