Sign up for the Today newsletter
Get everything you need to know to start your day, delivered right to your inbox every morning.
Multiple Mass. school districts impacted by national data breach
Sensitive data about students, families, and educators were exposed in the PowerSchool data breach, officials warn.
Several school districts in Massachusetts were affected by the national data breach of the software company PowerSchool.
PowerSchool, which provides education technology products for school officials across the country, sent out a letter to schools and districts informing them about the breach that occurred on Dec. 28.
According to the letter, a company investigation determined that an unauthorized party gained access to data within the PowerSchool Student Information System — a tool used to collect and organize data — using a compromised credential.
“Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment,” the letter says. “PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.”
Advertisement:
Gokhan Kul, assistant professor of Computer and Information Science at UMass Dartmouth, called the breach “concerning” because it targets information involving minors, as well as their families and educators.
“The information system impacted keeps significant amount of data, including sensitive data, such as names and addresses, but may also include grades, educational records, and even social security numbers,” Kul told Boston.com.
Who is affected?
The Massachusetts Department of Elementary and Secondary Education informed Boston.com that it is aware of 195 public school districts and educational collaboratives in Massachusetts that use PowerSchool. However, the number of those impacted by the breach is unknown.
Advertisement:
The software company said it “does not anticipate the data being shared or made public” and believes it has been “deleted without any further replication or dissemination.”
At least several Massachusetts school districts — including Randolph and Wellesley — are confirmed to have been affected by the data breach.
In a letter to the Randolph school community, school officials said the data involved in the district’s leak includes names, addresses, phone numbers, email addresses, student ID numbers and birthdates, and staff ID numbers.
However, PowerSchool said the particular information compromised will vary in each affected school.
“This situation is concerning to all of us and we are actively working to get more information,” the Randolph letter says.
PowerSchool learned about the attack from the perpetrator who asked for payment to destroy the data, according to Wellesley Superintendent David Lussier. PowerSchool officials said they paid the perpetrator in exchange for video evidence that the data was deleted.
“Any ransom that may have been paid to treat actors encourages further attacks,” Kul, the associate director of UMass Dartmouth’s Cybersecurity Center, said. “The threat actors evolve their strategies to create novel and more sophisticated attacks everyday, and this breach is just another example of one such instance.”
Advertisement:
PowerSchool is in the process of collecting information for each school about the specific data that was implicated in the breach, Lussier told Boston.com.
Wellesley collected their own compromised information internally. According to Lussier, Wellesley students’ names, addresses, phone numbers, attendance, parents, grade level, date of birth, ethnicity, year of graduation, and some medical information were exposed.
Since PowerSchool has affirmed its confidence that the breach has been contained, Lussier said Wellesley Public Schools is continuing to use the PowerSchool system normally.
“When something like this happens it’s extremely concerning, and it shakes our confidence in those systems,” Lussier said. “The more that we can share with parents, not just about what happened, but also about steps that either we’re taking or PowerSchool is taking, hopefully we can begin to repair that confidence.”
What should affected individuals do?
PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors, the company’s letter said.
Kul recommends that education officials and families follow “cyber hygiene” and review cybersecurity best practices.
Those affected should enable credit card and bank account transaction alerts and monitor credit reports, he said.
Additionally, Kul encouraged individuals to change their passwords and warned against using the same password for different accounts. He also recommended implementing multi-factor authentication.
Advertisement:
For those who do not plan to make credit inquiries in the near future, Kul recommends locking or freezing credit reports.
Upon becoming aware of the breach, PowerSchool said it mobilized senior leadership and third-party cybersecurity experts and contacted law enforcement.
Massachusetts State Police told Boston.com it is aware of the breach, and is encouraging PowerSchool customers to “seek guidance directly from the vendor to understand the potential impact on their organization.”
To comment, please create a screen name in your profile
To comment, please verify your email address
Conversation
This discussion has ended. Please join elsewhere on Boston.com