LPS PowerSchool Breach Information

https://bit.ly/3PBHjlG

How did it happen?

On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.  We have no evidence that other PowerSchool products were affected as a result of this incident, or that there is any malware or continued unauthorized activity in the PowerSchool environment.

On January 7, 2025, the Longmeadow Public Schools notified by PowerSchool, the largest provider of cloud-based education software for K-12 education in the U.S., about a widespread internal data breach. This breach affected school districts nationwide, including Longmeadow. Unfortunately, the breach resulted in the disclosure of sensitive, personally identifiable information which was exported from LPS PowerSchool.

PowerSchool stated that a support contractor’s login account was compromised, which allowed authorized access into many of their clients’ data systems.

General FAQ, Families, Educators and Customers   -  https://www.powerschool.com/security/sis-incident/

 January 16, 2025

Good Afternoon LPS Families and Staff,

I am writing with a final general update on the cybersecurity incident described in earlier emails (copied below).  You will recall that, in a nationwide event, an unauthorized party gained access to certain data in PowerSchool, the Student Information System used by LPS and many other school districts.

As promised, we have developed a webpage with communication, resources and an FAQ from PowerSchool.  It also includes district communication on this incident and an annotated listing of the staff and student data fields that were exported from PowerSchool.   

Credit monitoring will be provided to the individuals mentioned below who had Social Security numbers exported.  We will also make notice to the MA Attorney General consistent with the requirements under MA General Law Chp 93H.  

Please let me know if you have any questions in relation to this incident.

Sincerely,

Marty O'Shea

Superintendent of Schools

January 8, 2025

Good Evening LPS Families and Staff

I am writing with a follow up to the cybersecurity incident that was described in an email on Wednesday, January 7 and is copied below.  PowerSchool, the Student Information System used by Longmeadow has indicated that an unauthorized party gained access to certain data housed in our Student Information System (“SIS”).  

While PowerSchool has only sent general notices to districts, the LPS IT team has confirmed that sensitive, personally identifiable information was exported from LPS PowerSchool.  For students, listed are some of the data fields with personal information which were exported: name, date of birth, address, web ID (email login), gender, race, IEP status (a simple yes or no designation), medical alerts (not including medical data, but simply alerting staff to the existence of a health care plan, a seizure disorder, an allergy, etc.).  For staff, listed are some of the data fields with personal information which were exported: name, date of birth, address, email address, ethnicity, gender and race.  A full, comprehensive list of the exported data fields along with other pertinent information will be posted to our district website as soon as possible. 

Our current understanding indicates that only PowerSchool SIS data was exported.  The breach did not affect PowerTeacherPro (grades), Google Classroom or Naviance (a college or career readiness platform) or other teaching and learning tools.  Student disciplinary records, counseling records, IEPs, medical records or 504 plans were not obtained.

In addition to the above data extractions, our IT team has evidence that the Social Security Numbers of approximately 240 former students, who either graduated or transferred out of Longmeadow Schools roughly between the years 2005-2009, were also obtained.  Additionally, the SSNs of fewer than 10 former employees were also obtained.  Since PowerSchool does not house the SSNs of active employees or students, no current employee or student was affected. 

Longmeadow Public Schools has reported this matter to law enforcement and our response will continue to be guided by legal counsel.  The District intends to fulfill its notification requirements in accordance with state law.  

PowerSchool has reported to the Districts nationwide that it “engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.”  PowerSchool further reported that:  “Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment.”  It further stated:  “We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”  Finally, PowerSchool has indicated that:  “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination. . . .We have a video confirming deletion and are actively searching the dark web to confirm.”  PowerSchool has indicated that it will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. 

As I noted yesterday, we take our commitment to data privacy very seriously.  You can expect an additional update as soon as possible.

Sincerely,

Marty O’Shea

Superintendent of Schools

January 8 Notice

Good Afternoon LPS Families and Staff,

Yesterday afternoon, PowerSchool, the Student Information System used by Longmeadow and many other districts, informed LPS that on December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized access to LPS staff and student data.  This data breach has affected LPS and countless other school districts across the country. 

This afternoon, LPS tech staff and district administrators will participate in a webinar hosted by PowerSchool’s senior executives, during which they will provide PowerSchool’s customers with more information about the incident and their response. We are committed to fully understanding the situation.

PowerSchool has assured its customers that the incident has been contained, and there is no evidence of continued unauthorized activity. 

Once we receive additional information from the webinar and further guidance from PowerSchool, we will provide you with an update, including information on the data fields that were accessed.  Our priority is to maintain transparency and take all necessary measures to safeguard the information entrusted to our systems.

As an initial precaution, all student users of LPS Google Education tools, including Google Classroom and Gmail, will be prompted to change their password tomorrow morning at first sign-in.

Thank you for your patience and understanding. We take our commitment to data privacy very seriously.  You can expect an additional update as soon as possible.

Sincerely,

Marty O'Shea

Superintendent of Schools