The scenario
A teacher reports grades she did not enter. Audit logs show edits from an account that should not have access. Credential stuffing or a single compromised administrator account are the two most common roots.
First 60 minutes
- Lock the suspect account and any session tokens it issued in the last 30 days.
- Force a password reset for all administrative SIS accounts (not just the suspect).
- Enable or verify MFA on every SIS administrative account — including help-desk and integration accounts.
- Pull the SIS audit log for the last 14 days and snapshot it to immutable storage.
- If grades or transcripts were changed, freeze grade-reporting and notify the registrar before the next report-card or transcript-export cycle.
- Open a vendor ticket — PowerSchool, Follett, Infinite Campus, Skyward, Synergy all have documented incident escalation paths.
Decisions to make
Scope of change
- — Single classroom: contain at the teacher account, communicate with affected families directly.
- — Multiple buildings: treat as district-wide, freeze grade-export, notify the superintendent.
- — Transcripts or graduation records altered: legal counsel and registrar in the same call.
Who to call
- SIS vendor incident response team
- K-12 MS-ISAC
- State department of education (if grades, attendance, or state-reporting data is affected)
- State breach-notification regulator if PII is in scope
FAQ
Is grade tampering a FERPA violation?
Unauthorized alteration of an education record is a FERPA-relevant event. Document the discovery, the scope, and the remediation. FERPA requires the district to maintain accurate records — restoration of the correct grades is part of compliance.