PowerSchool, a popular online portal used by many New York school districts to manage student registration, grading, attendance and more, was hit by a data breach in December in which some student data was shared without authorization.

PowerSchool Holdings, a data giant with customers serving more than 60 million students worldwide, said Jan. 13 that it involved students’ personally identifiable information, including Social Security numbers and medical information.

“We are working to complete our investigation into the incident and are coordinating with districts and schools to provide additional information and resources (including credit monitoring or identity protection services, if applicable) as they become available,” the company said.

The New York State Education Department’s privacy office has begun collecting data related to the PowerSchool breach, spokeswoman Rachel Connors said.

“This information will ultimately be used as the basis for any enforcement actions the department decides to take,” she said. “Because the data breach was announced last week and not all schools have been notified, data collection on the incident is ongoing.”

Of interest: New Consumer Protection Laws in New York: What You Need to Know

Yonkers Public Schools Issues Statement on PowerSchool Violation

PowerSchool is one of several widely used portals that allow parents to access school information about their children. However, school districts choose to store different information in their PowerSchool systems.

Yonkers Public Schools uses the PowerSchool portal and wrote to families about the breach, but noted, “Please be assured that Yonkers Public Schools District does not store sensitive information such as Social Security numbers or other personally identifiable fields on the platform.”

Information that may have been compromised included student names, addresses, phone numbers and parent/guardian contact information, according to the district.

Yonkers noted that PowerSchool is taking steps to prevent further access or misuse of the compromised data. “They have assured us that they believe the data has been deleted and will not be shared publicly,” the statement said.

What you should know about the PowerSchool breach

According to several school districts across the country, the unauthorized access to PowerSchool began on December 19th and ended on December 28th. Hackers used a PowerSchool remote support tool to access the data.

Protecting student data has been a top concern for school systems for over a decade, with schools using software for virtually every function, from academic to required data reporting to states. School districts across New York and the country have fallen victim to malware and ransomware attacks.

State and federal laws aim to protect students’ personal information. Every New York City school district must publish a Parent’s Bill of Rights for privacy and security. Districts must also report all data breaches to the state Department of Education’s Privacy Office.

The state also offers “Privacy Breach Notices for Parents” online.

USA TODAY contributed to this report.

This article originally appeared in Rockland/Westchester Journal News: PowerSchool portal used by New York schools affected by a student data breach