ST. LOUIS – It’s being called one of the largest breaches of children’s personal information in history: PowerSchool, a company that manages the data of millions of children across American schools, has been hacked.

“Unfortunately, an incident like this was only a matter of time,” Director of K-12 Security Information Exchange Doug Levin said.

The K-12 Security Information Exchange is a nonprofit that works with school systems nationwide to inform, educate, and prepare for cybersecurity threats. Levin calls the PowerSchool breach a worst-case scenario.

“From a school system perspective, there’s very little that they could have done to prevent this. The company, however, clearly experienced a failure of its controls,” Levin said.

PowerSchool went public in 2021 when its CEO rang the opening bell at the New York Stock Exchange. The “Student Information System” is used by school districts across the country.

Nearly 100 local education agencies use the software, according to the Missouri Department of Elementary and Secondary Education. PowerSchool’s “SIS” tracks the kind of important personal data hacker’s desire.

“Generally speaking, schools are not held to any sort of baseline cybersecurity standard. Nor are school district vendors like PowerSchool. Other sectors that deal with sensitive information, like the financial sector or the healthcare sector, are held to higher standards,” Levin added.

FOX 2 contacted school districts throughout the metro area. Two of the largest districts, Parkway and Rockwood, tell us they’re not impacted by the data breach. The same is true for Pattonville, Mehlville, and Belleville.

However, the St. Charles School District said it was impacted.

“We worked with PowerSchool and third-party specialists to determine what happened and what information is at risk as a result of this event. We are in the process of notifying parents and staff regarding this event,” the district said.

The Edwardsville School District was also involved, telling us, “No social security numbers, passwords, legal documents used during student registration, financial information, or photographs were included in the breach.”

PowerSchool added that they are not aware of any identity theft due to the breach.

“As soon as PowerSchool learned of the incident, we engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse,” they said.

“It’s my hope that we will learn from this, that schools will take steps to shore up their practices, as well as technology companies like PowerSchool,” Levin said.

For more information regarding PowerSchool and their response, click here.

The Missouri Department of Elementary and Secondary Education released the following statement:

“The Missouri Department of Elementary and Secondary Education (DESE) is closely tracking the data breach reported by PowerSchool, a Student Information System (SIS) used by nearly 100 local education agencies (LEAs) in Missouri. DESE is currently working to learn more details about the cyberattack and its scope of impact on Missouri LEAs, as all PowerSchool users may not have been affected by the breach. DESE staff have recently participated on a call with the U.S. Department of Education (USED) to discuss the issue and will be meeting with PowerSchool soon.

“DESE requests affected LEAs that have not done so already complete the statutorily required DESE data breach reporting form and return it to DESE as soon as possible. DESE encourages affected LEAs to work with their legal counsels and insurance companies, along with PowerSchool, to coordinate remediation steps. LEAs are encouraged to contact the USED Privacy Technical Assistance Center with FERPA questions. The USED recommended the following resources that may be helpful to review: K-12 Cyber SecurityK-12 Digital Infrastructure Brief; and Cybersecurity Preparedness for K-12 Schools and Institutes of Higher Learning.”