Cybersecurity Incident

No. Stillwater Area Public Schools doesn't collect student social security numbers and doesn't store staff SSN in PowerSchool.

No, Financial information to pay for meals, activities, or field trips is used through other systems outside of PowerSchool, so was not accessed in this incident. 

We do a lot of things to make different tools, like PowerSchool and School Cafe, seem like it's all one page to try and simplify the number of pages people need to go to, but it's a completely separate service that wasn't involved. The information accessed did not have access to your Google Account or shared logins to other places that you use your Stillwater Google Account to log into. 

On Jan. 7, Stillwater Area Public Schools was notified of a cybersecurity incident involving unauthorized access to PowerSchool, the district's Student Information System. This incident occurred due to compromised credentials at a third-party vendor hosting PowerSchool and did not involve vulnerabilities within the district’s systems.

The unauthorized access on PowerSchool's system occurred on Dec. 19, 2024. 

PowerSchool became aware of the breach on Dec. 28, 2024 and because to investigate. 

Stillwater Area School District was notified by PowerSchool in the afternoon on Jan. 7, 2025, and implemented their internal incident response plan. 

After investigation, Family and staff communication was sent out on Jan. 9, 2025 . 

• For Students: Names, addresses, birthdates, homeroom teachers, enrollment dates, guardian phone numbers, and some individual emergency contacts. The student records include currently enrolled students, and those who graduated in the year 2020, 2021, 2022, 2023, and 2024.  
• For Staff: Names, district email addresses, and district phone numbers.

No. PowerSchool has confirmed that the data was deleted by the threat actor and has not been made public or shared.

The district has activated its cybersecurity incident response plan and is working with PowerSchool to assess the scope of the breach. Actions include:

• Participating in PowerSchool’s informational sessions.
• Consulting with cybersecurity experts.
• Coordinating with other affected schools to share insights and strategies.

Please be assured that the safety and security of Stillwater students and staff remains a top priority.

PowerSchool has implemented cybersecurity protocols, engaged third-party experts, and reported the incident to the FBI. They are working to strengthen their systems and prevent future data incidents.

PowerSchool is legally required to notify all individuals across all schools of their cybersecurity incident, and offer credit monitoring or identity protection to anyone who may have been impacted.

Email to Families 2020-present - TUES, APRIL 22, 2025, 4:30 p.m.

Dear Pony Families,

We are writing to share that Stillwater Area Public Schools has completed its investigation into the PowerSchool cybersecurity incident that occurred in December 2024.

As previously communicated in January, February, and April, this incident involved unauthorized access to certain student and staff information through PowerSchool, the student information system used by our district and many others across the country. While no financial or social security information was accessed or stored in PowerSchool in Stillwater, and there is no evidence that any of the data has been shared or misused, we have continued to take this matter seriously and acted with transparency throughout.

Today, we are releasing our formal investigative report, which provides a detailed summary of the incident, its impact, and the steps taken in response. 

This report also fulfills our obligations under Minnesota law (Minn. Stat. §13.055) to provide a public summary and notice of a data breach involving a government entity.

We appreciate your understanding and continued partnership as we work to safeguard student and staff information. If you have questions or concerns, please visit our website or contact us directly at comments@stillwaterschools.org. 

Sincerely,
Stillwater Area Public Schools
 

Email to Families 2020-present - Thurs, APRIL 3, 2025, 9 a.m.

Dear Pony Families,

We are reaching out again to ensure that families of students, both current and those who attended between 2020 and 2024, are aware of a recent cybersecurity incident involving PowerSchool, the student information system used by Stillwater Area Public Schools. 

As we shared publicly on Jan. 9 and Feb. 28, 2025, PowerSchool experienced a data breach in December 2024 that impacted school districts nationwide. This follow-up message is being sent to make sure all potentially impacted individuals—including those who may no longer be actively connected to the district—are informed of the incident and aware of available support. 

The information about Stillwater Area Public Schools staff and students that was accessed during the incident include:

• Student Information: Names, addresses, birthdates, homeroom teachers, enrollment dates, guardian phone numbers, and some individual emergency contacts.
• Staff Information: Names, district email addresses, and district phone numbers.

We want to reiterate:

• No financial information or social security numbers were accessed, as the district does not store that information in PowerSchool.
• There is no evidence that the data involved has been shared or misused.
• The accessed data for students included names, addresses, birthdates, homeroom teachers, enrollment dates, guardian phone numbers, and some individual emergency contacts.

PowerSchool has begun sending formal notifications to individuals whose information may have been involved. These notices include details about the incident and offer credit monitoring and identity protection services, as required by law. If you have questions or concerns about a notification from PowerSchool, please contact 833-918-9464.

Thank you for your continued understanding as we work to support our community and safeguard personal information. For more details about the incident, visit our district website. 

Sincerely, 
Stillwater Area Public Schools 

Email to Families and staff - FRI, FEB 28, 2025, 12:11 PM 

Dear Pony families and staff,

PowerSchool, the district’s student information system provider, is beginning to send out messages regarding a cybersecurity incident that occurred in December 2024. This is the same incident we informed staff and families about in a Jan. 9, 2025 email. Information about the incident is on our website.

PowerSchool is legally required to notify all individuals across all schools of their cybersecurity incident, and offer credit monitoring or identity protection to anyone who may have been impacted. That is the intent of their formal notification being sent.

It is important to note that no financial information or social security numbers of our students, families, or staff were accessed as part of the PowerSchool incident. Stillwater Area Public Schools does not retain that type of information on students or within PowerSchool for staff. 

The information about Stillwater Area Public Schools staff and students that was accessed during the incident include:

• Student Information: Names, addresses, birthdates, emergency contacts, homeroom teachers, enrollment dates, guardian phone numbers and some individual emergency contacts.
• Staff Information: Names, district email addresses and district phone numbers.

There is no evidence that the accessed data has been shared or misused, and families do not need to take any action. You are welcome, however, to take advantage of the free credit monitoring and identity protection services offered by PowerSchool. 

If you have questions or concerns about the PowerSchool notice, please call 833-918-9464

Email to impacted individuals - Thu, Jan 9, 11:09 AM 

Dear Pony families and staff,

On Tuesday, Jan. 7, we were informed of a cybersecurity incident involving unauthorized access to certain information within PowerSchool, our Student Information System (SIS). This breach originated with PowerSchool, and impacted school districts nationwide. The breach was not due to vulnerabilities in our district’s systems.

The data has not been made public. According to PowerSchool, the data involved was deleted by the threat actor as part of their interactions with the company.

What Happened?
A threat actor gained access to our SIS data by a third-party vendor hosting PowerSchool through compromised credentials. PowerSchool responded immediately by implementing their cybersecurity protocols, retaining third-party cybersecurity experts, and notifying the FBI.

Upon learning of this incident Tuesday afternoon, Stillwater schools immediately activated our own cybersecurity response plan. We have been collaborating with PowerSchool and our third party cyber security experts to fully assess the scope of the breach and identify the information involved.

Impact of the Incident
The following information was accessed during the breach:

• Student Information: Names, addresses, birthdates, emergency contacts, homeroom teachers, enrollment dates, guardian phone numbers and some individual emergency contacts.
• Staff Information: Names, district email addresses and district phone numbers.

It is important to note that no financial information or social security numbers were accessed, as the district does not retain that type of information on students or within PowerSchool for staff. 

Next Steps
Our team is actively participating in PowerSchool's informational sessions, investigating internally, and coordinating with other affected school districts to gather insights and ensure our systems are secure into the future.  

There is no evidence that the accessed data has been shared or misused, and families do not need to take any action. Should this change or should additional information come to light, we will notify you promptly. We will also be sharing a formal investigative report in the near future. 

We appreciate your understanding and patience as we address this matter. Please be assured that the safety and security of our students and staff remain a top priority.

If you have questions or concerns, please contact comments@stillwaterschools.org .

Sincerely,
Dr. Mike Funk, Superintendent

At this time, no action is required by families or staff. If this changes, families and staff will be notified with further guidance.

While no Social Security Numbers were included in this incident, PowerSchool is offering credit monitoring to all impacted families. More information on that program is available here: powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

The district will communicate significant updates directly via email and post them on this webpage.

While no misuse has been reported, we recommend monitoring accounts for unusual activity. If misuse is suspected, please contact comments@stillwaterschools.org. 

PowerSchool is offering credit monitoring to those interested. More information on that program is available here: powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

If you have questions or concerns about the PowerSchool notice, please call 833-918-9464.

For additional questions, please contact email comments@stillwaterschools.org.

Minn. Stat. § 13.055, subd. 2(b) Investigation Report 

“PowerSchool Student Information System Cyber Incident” 

 

April 22, 2025

The data in this report is public under Minnesota Statutes, §13.02, subdivision 19, and Minnesota Statutes, §13.43, subdivision 2(a)(5).

This report is prepared in accordance with Minnesota Statutes, §13.055, which requires government entities to notify individuals in the event of a data breach and to prepare a report describing the facts and results of the investigation.
 

This document serves both as:

• The required notice to affected individuals under Minn. Stat. §13.055, and
• The formal investigation report under Minn. Stat. §13.055, subd. 2(b).

 

Minnesota Statutes, section 13.055, subdivision 2(b), requires government entities, including Stillwater Area Public Schools (the “District”), to “prepare a report on the facts and results of the investigation” into “any breach in the security of data.” This report includes the following information:

1. “a description of the type of data that were accessed or acquired”;
2. “the number of individuals whose data was improperly accessed or acquired”;
3. “if there has been final disposition of disciplinary action for purposes of Minn. Stat §13.43, the name of the employee determined to be responsible for the unauthorized access or acquisition, unless the employee was performing duties under Minn. Stat CH. 5B; and
4. “the final disposition of any disciplinary action taken against each employee in response”.

 

1. A description of the type of data that were accessed or acquired

 

On January 7, 2025, PowerSchool, the District's Student Information System (SIS) provider, informed Stillwater Area Public Schools of a cybersecurity incident involving unauthorized access to SIS environments hosted by a third-party vendor. Stillwater communicated with families beginning on January 9, 2025. This incident was part of a broader attack that affected multiple school districts utilizing the PowerSchool SIS. 

According to PowerSchool’s investigation, an unauthorized actor gained access between December 19, 2024 and December 23, 2024, using compromised login credentials from PowerSource, PowerSchool’s support portal. These credentials were used to access certain SIS environments, including the one used by Stillwater Area Public Schools. The attacker exfiltrated specific data tables, including those containing student and staff information. This access was not a result of any actions or vulnerabilities within Stillwater’s internal systems.

PowerSchool detected the unusual activity through its internal security monitoring tools and quickly initiated its incident response protocols. The compromised accounts were disabled, and PowerSchool worked with leading cybersecurity firm CrowdStrike to conduct a forensic investigation. CrowdStrike’s final report confirmed that the attacker had access to and exported specific datasets but subsequently deleted the stolen data during their interaction with PowerSchool.

Stillwater Area Public Schools was not directly targeted in this incident but was impacted due to the nature of the shared hosting environment. As soon as the District was made aware of the situation on January 7, 2025, it initiated its own cybersecurity response plan, employed an external cyber security firm, began reviewing impacted data, and collaborated with PowerSchool to notify affected individuals. There is no evidence at this time that any of the accessed information has been misused or publicly released.

Types of Data Accessed:

1. Student Information: Names, addresses, dates of birth, emergency contacts, homeroom teachers, enrollment dates, guardian phone numbers, and some individual emergency contacts.
2. Staff Information: Names, district email addresses, and district phone numbers.
    

No financial information or Social Security numbers were accessed, as this information is not stored in PowerSchool.

Measures Taken: 

3. PowerSchool has taken the following steps in response to the incident:
   1. Deactivated compromised credentials and restricted access to the support portal.
   2. Conducted a full forensic investigation and published a summary of findings.
   3. Implemented biometric authentication for employees and limited maintenance access windows.
4. Stillwater Area Public Schools has:
   1. Maintained communication with PowerSchool to monitor developments.
   2. Notified staff and families through email and its website.
   3. Participated in cross-district collaboration on cybersecurity response practices.

 

II. The number of individuals whose data was improperly accessed or acquired

Stillwater Area Public School's investigation determined that data from approximately 19,286 records belonging to students enrolled at Stillwater Area Public Schools between 2020 and 2024 was improperly accessed. 
 

III. If there has been a final disposition of disciplinary action for purposes of Minn. Stat §13.43, the name of each employee determined to be responsible for the unauthorized access or acquisition

No Stillwater Area Public Schools employee was found to be responsible for the unauthorized access. The incident was the result of compromised credentials used against PowerSchool's third-party systems. As such, no disciplinary action was taken against District staff.

IV. The final disposition of any disciplinary action taken against each employee in response.

Not applicable. No disciplinary action was taken against any Stillwater Area Public Schools employee in connection with this incident.

 

---

Learn more about this incident at stillwaterschools.org/our-district/cybersecurity-incident

Questions can be directed to Stillwater Area Public Schools at comments@stillwaterschools.org or to PowerSchool directly at 833-918-9464

 

DOWNLOAD FINAL REPORT