UMATILLA COUNTY — Two separate data breaches may have compromised the personal information of hundreds of students and teachers in Umatilla County.

PowerSchool, a cloud-based software system public and charter schools across North America use to manage student information and other educational services, experienced a cybersecurity breach involving unauthorized access to personal information in its student information system. 

Umatilla School District is one of hundreds of districts nationwide that are part of the breach, which may have involved the access of personal information of hundreds of students.

The district uses PowerSchool to manage student data, while other schools in Umatilla County rely on a different cloud-based service. 

Umatilla School District Superintendent Heidi Sipe  said PowerSchool identified the incident on Dec. 28, 2024, and notified the school district on Jan. 8.

“What we’ve done is we’ve worked with our cyber insurance company and PowerSchool,” Sipe said. “They are sending out notifications to anyone who could have been impacted by it, and services like credit monitoring will be available.”

Sipe said the breach did not compromise academic files but it did access directory information. She added the district has not collected students’ Social Security number for some years.

According to a newsletter from PowerSchool, the company has confirmed the incident has been contained. It has taken steps to prevent further unauthorized access to the data and does not anticipate the information being shared or made public.

The other data breach occurred Dec. 21 and involved Carruth Compliance Consulting, a company that provides third-party administrative services for certain retirement savings plans to public school districts and nonprofit organizations. 

The company identified the suspicious activity and determined certain systems on their network were accessed without authorization between Dec. 19, and Dec. 26, and during that time, certain files were copied from their database.

Carruth sent out a notice of the breach on Jan. 13. 

Carruth reported the affected information may include employees’ names, Social Security numbers, financial account information, driver’s license numbers, W-2 information, medical billing information and tax filings.

“We have two-factor authentication for each of our logins for all of our staff and we have as many security protocols as we can in place to make sure that data is protected,” Sipe said. “However, hackers are always trying to attempt to gather data and so, in case of breaches, we do have the insurance, support and systems in place to address those things if they happen. Sadly, they’re just becoming far more common in all industries.”

Hermiston School District said the breach may have potentially involved all employees who worked for the district during the past 25 years, from November 2000 until today.

The cyber breach also may have affected all individuals employed between 2008 and January 2025 at schools in Umatilla County, including those in Pendleton, Pilot Rock, Helix, and Umatilla school districts.

In Morrow County, the Ione School District said the breach may potentially have affected all individuals employed between December 2008 and January 2025.

Carruth’s customers include many Oregon school districts, educational service districts and other organizations.