Skip to main content
All playbooks

Playbook

Student Information System compromise

PowerSchool, Aspen, Infinite Campus, Skyward, or Synergy account takeover, grade tampering, or credential-stuffing.

The scenario

A teacher reports grades she did not enter. Audit logs show edits from an account that should not have access. Credential stuffing or a single compromised administrator account are the two most common roots.

First 60 minutes

  1. Lock the suspect account and any session tokens it issued in the last 30 days.
  2. Force a password reset for all administrative SIS accounts (not just the suspect).
  3. Enable or verify MFA on every SIS administrative account — including help-desk and integration accounts.
  4. Pull the SIS audit log for the last 14 days and snapshot it to immutable storage.
  5. If grades or transcripts were changed, freeze grade-reporting and notify the registrar before the next report-card or transcript-export cycle.
  6. Open a vendor ticket — PowerSchool, Follett, Infinite Campus, Skyward, Synergy all have documented incident escalation paths.

Decisions to make

Scope of change

  • Single classroom: contain at the teacher account, communicate with affected families directly.
  • Multiple buildings: treat as district-wide, freeze grade-export, notify the superintendent.
  • Transcripts or graduation records altered: legal counsel and registrar in the same call.

Who to call

  • SIS vendor incident response team
  • K-12 MS-ISAC
  • State department of education (if grades, attendance, or state-reporting data is affected)
  • State breach-notification regulator if PII is in scope

FAQ

Is grade tampering a FERPA violation?

Unauthorized alteration of an education record is a FERPA-relevant event. Document the discovery, the scope, and the remediation. FERPA requires the district to maintain accurate records — restoration of the correct grades is part of compliance.