Millburn School Data Breach Update: ID Protection Services Offered

MILLBURN, NJ — The Millburn Public School District has released an update about a recent data breach that impacted the PowerSchool software system.

Superintendent Kate Diskin released the following advisory to the school community on Jan. 8:

“We were informed today that PowerSchool, our Student Information System, had a recent data breach. The breach is estimated to have occurred in late December. PowerSchool is a cloud-based software solutions provider for K-12 schools like Millburn that supports over 60 million students and over 18,000 customers worldwide. In response to the cyber attack, the company engaged with third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the incident. The specific details of the data affected are still being determined, but at this time, we know that student and staff names, addresses, emails, grade levels, and other personal information were stored in PowerSchool and may have been compromised. Social security numbers are not stored in this system. PowerSchool has assured us that the incident is contained, and there is no evidence of malware or continued unauthorized activity within the system. The company has publicly reported that it is reasonably confident that the threat actor deleted the stolen data, but there is no 100% guarantee that the data was fully deleted.”

“Our technology director and the district team are working with PowerSchool to determine the extent of our exposure,” the superintendent continued. “We will continue to provide updates as information becomes available from PowerSchool.”

UPDATE: COMPLIMENTARY ID PROTECTION SERVICES

Diskin issued an update on the data breach on Tuesday. Here’s the latest message from the superintendent:

“As we previously communicated on January 8, 2025, PowerSchool, our student information system (SIS) vendor, recently experienced a cybersecurity incident involving unauthorized access to certain information in their systems nationwide. As we stated at that time, PowerSchool has assured us that the incident is contained, and there is no evidence of malware or continued unauthorized activity within the system. The company has publicly reported that it is reasonably confident that the threat actor deleted the stolen data, but there is no 100% guarantee that the data was fully deleted.”

In further efforts to safeguard their clients’ families data, PowerSchool has shared the following information regarding their next steps, Diskin said:

Identity Protection and Credit Monitoring Services – “PowerSchool has engaged Experian, a trusted credit reporting agency, to offer two years of complimentary identity protection services for all students, families, and educators whose information from our PowerSchool SIS was involved. This offer will also include two years of complimentary credit monitoring services for all adult students and educators whose information was involved.”

Notification to Individuals – “A direct email notification will be distributed by Experian on behalf of PowerSchool in the coming weeks to applicable current and former students (or their parents/guardians as applicable) and educators for whom we have sufficient contact information. PowerSchool will also launch a website and distribute a media release to ensure we reach as many involved individuals as possible and provide them with resources to protect their information. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that PowerSchool is offering.”

For more information from PowerSchool about this cybersecurity incident, visit https://www.powerschool.com/security/sis-incident for an up-to-date FAQ.

Send local news tips and correction requests to eric.kiefer@patch.com. Learn more about advertising on Patch here. Find out how to post announcements or events to your local Patch site.