Last item for navigation

PowerSchool Breach Information

  • Background
    • PowerSchool, the largest provider of software solutions to K-12 schools in the United States, has as its core product the PowerSchool Student Information System (SIS). All school districts use an SIS, and in Massachusetts PowerSchool is one of five SIS on the state-wide purchasing contract that is certified for state reporting. All districts are required to have an SIS certified for state reporting and PowerSchool is one of, if not the, most widely used in the state.
    • Along with many districts in Massachusetts, Lynn Public Schools uses PowerSchool SIS. LPS also uses PowerSchool’s SchoolMessenger, Unified Talent, Allovue, Schoology, and Enrollment (including registration and annual forms) products. PowerSchool reports this incident did not impact those products.

 

  • What Happened?
    • Based on the preliminary information that PowerSchool has provided, in late December, a compromised credential was used by a threat actor to gain access to PowerSchool’s internal support tools. On December 22, the threat actor used an internal maintenance tool to gain unauthorized access to student and staff data in PowerSchool SIS.
    • On December 28, PowerSchool was made aware of the incident, began an immediate investigation with internal resources and third-party cybersecurity experts, and informed law enforcement. PowerSchool reports that the incident is contained, and there is no evidence of further unauthorized activity. Crowdstrike is also performing an investigation.
    • PowerSchool engaged the services of CyberSteward, a firm that negotiates with threat actors. While we do not have specifics of the negotiation, PowerSchool has stated that in exchange for payment, it has received reasonable assurances from the threat actor that the data was deleted, including a video showing the electronic destruction of the stolen data, and that no additional copies exist. PowerSchool’s senior leadership has stated that they are confident the data will not be made public.
    • On January 7, PowerSchool informed districts of the incident by email. Lynn Public Schools began an internal investigation immediately and confirmed that unauthorized access to our district’s data occurred on December 22. After verifying that unauthorized access to our data had occurred, we informed families and educators on January 9.

 

 

  • What Data Was Accessed?
    • PowerSchool has reported that the unauthorized access was limited to the data fields in two database tables in PowerSchool SIS, and our internal investigation is consistent with this finding. The data accessed varied by district due to differences in data-collection practices.
    • Concerning Lynn School Public Schools specifically, the student information that was accessed included student names, home addresses and phone numbers, demographic information, parent/guardian and emergency contact information, custodial information for some students, contact information for physicians, medical “alerts” (for example a food allergy), and school operational information, such as grade, year of graduation, student ID numbers and usernames, homeroom, and programs indicators (including if a student receives accommodations for special education).
    • The accessed educator information included names, contact information, home addresses/phone numbers, email addresses, teacher ID numbers and usernames, and demographic information (i.e. ethnicity).
    • We do not have any evidence indicating student assessment results, grades/academic data, report cards, full health records, IEPs, records about attendance, or discipline incident data were accessed. We do not store student or educator Social Security numbers or financial information in PowerSchool SIS and therefore were not part of this data breach. Additionally, no password-related information was accessed.

 

  • How is LPS Responding?
    • Upon being notified by PowerSchool, we immediately launched an internal review. Based on the indicators of compromise that PowerSchool shared, we verified that the reported unauthorized access occurred and found no evidence of further unauthorized access. We continue to monitor and review our systems while we await further information from PowerSchool and the Crowdstrike incident report. We will closely analyze all of this information, and we will share information with families and educators after the incident report is released.
    • Cybersecurity has been an ongoing focus of the district. Some key steps we have taken in recent years include moving all users to multi-factor authentication and providing annual confidentiality/student records training. This is ongoing work and will continue to be an area of focus moving forward. While Crowdstrike’s incident report will surely focus on the threat actor and PowerSchool, we will closely analyze this incident to inform our planning and future initiatives.
    • We are committed to ongoing communication regarding this incident. We will continue working with PowerSchool to understand the ongoing investigation and response and will share any relevant information as it becomes available. We have also started a PowerSchool Cybersecurity Incident FAQ.

FAQ

  • How confident is PowerSchool that the data has been deleted?
    • PowerSchool engaged the services of CyberSteward, a company with expertise in negotiation with threat actors, and made a payment in exchange for the deletion of the data and assurances that no copies were made, including obtaining video of the digital destruction of the data. While it is reasonable, and perhaps advisable, to be skeptical, experts in the field have shared that cyber-extortionists do have a financial incentive to follow through on deleting data, so future victims are more likely to pay ransoms. As an additional verification measure, PowerSchool has contracted on an ongoing basis with Crowdstrike for web and dark web monitoring of any potential future publishing or sale of the data.

 

  • Were Social Security numbers, credit cards, or other financial information accessed?
    • No. As part of our data minimization practices, we do not store Social Security numbers, credit cards, or financial information in PowerSchool SIS.

 

  • Was personal health information (PHI) accessed?
    • No medical records were included in the unauthorized access. The names and phone numbers of physicians related to students were included, as well as medical “alerts” in the system. Medical “alerts” are short text alerts to educators of important medical information, such as peanut allergies.

 

  • Is it safe to continue using PowerSchool SIS?
    • PowerSchool has assured all districts that the incident is no longer active and that the threat actor has no further access. Its and Crowdstrike’s ongoing investigations have found no evidence of the threat actor’s persistence in their systems. It has also taken steps to further secure their internal support resources and disable the internal maintenance tool that was used in the incident.

 

  • Will PowerSchool be communicating directly with impacted individuals or providing any supports or services?
    • PowerSchool will provide a notice to students (or their parents / guardians for students under 18) and educators whose information was exfiltrated from the PowerSchool SIS.
    • Each notice will include a description of the categories of personal information that was exfiltrated and the identity protection and credit monitoring services (as applicable).
    • PowerSchool has engaged Experian, a trusted credit reporting agency, to offer two years of complimentary identity protection services for all students and educators whose information from our PowerSchool SIS was involved. This offer will also include two years of complimentary credit monitoring services for all adult students and educators whose information was involved.
    • Experian will also provide a call center to answer questions from the community.
    • PowerSchool will also provide a notice to the State Attorney General Office as required by Massachusetts State Regulations.

 

  •  PowerSchool has engaged Experian, a trusted credit reporting agency, to offer two years of complimentary identity protection services for all students and educators whose information from our PowerSchool SIS was involved. This offer will also include two years of complimentary credit monitoring. To sign up for the identify protection through Experian, please visit PowerSchool's website here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach
Login
Search