Powerschool Cybersecurity Incident 

Background

PowerSchool is the largest provider of software solutions to K-12 schools in the United States, and their core product is the PowerSchool Student Information System (SIS).  All school districts use an SIS, and in Massachusetts PowerSchool is one of five SIS on the state-wide purchasing contract that is certified for state reporting. All districts are required to have an SIS certified for state reporting and PowerSchool is one of, if not the, most widely used in the state.

Along with many of our neighboring districts, Leicester Public Schools uses PowerSchool SIS. LPS also uses PowerSchool’s Enrollment Express (including registration and annual forms), and Naviance products. However, PowerSchool reports those products were not impacted by this incident.

What Happened? 

Based on the preliminary information that PowerSchool has provided, in late December a compromised credential was used by a threat actor to gain access to PowerSchool’s internal support tools. On December 22nd, the threat actor used an internal maintenance tool to gain unauthorized access to student and staff data in PowerSchool SIS.

On December 28th, PowerSchool was made aware of the incident, began an immediate investigation with both internal resources and third-party cybersecurity experts, and informed law enforcement. Powerschool reports that the incident is now contained and there is no evidence of further unauthorized activity. Crowdstrike is performing an investigation and a full incident report is expected by January 17th.

PowerSchool also engaged the services of CyberSteward, a firm that negotiates with threat actors. While we do not have specifics of the negotiation that occurred, PowerSchool has stated that in exchange for payment they have received reasonable assurances from the threat actor that the data was deleted, including video showing the electronic destruction of the stolen data, and that no additional copies exist. PowerSchool’s senior leadership has stated that they are confident the data will not be made public.

On January 7th, PowerSchool informed districts of the incident in email. Leicester Public Schools began an internal investigation immediately and confirmed that unauthorized access to our district’s data occurred on December 22nd. After verifying that unauthorized access to our data had occurred, we informed families and staff on January 8th.

What is the District Doing to Respond?

Upon being notified by PowerSchool we immediately launched an internal, and ongoing, investigation. Based on the indicators of compromise that were shared, we were able to verify that the reported unauthorized access occurred and we have found no evidence of further unauthorized access. We continue to monitor and investigate and are also awaiting further information from PowerSchool and the Crowdstrike incident report expected in mid-January.  We will be closely analyzing all of this information, and we will share information with families and staff after the incident report is released.

We are committed to ongoing and transparent communication regarding this incident. We will continue working with PowerSchool to understand the ongoing investigation and response, and will share any relevant information as it becomes available.  We have also started a PowerSchool Cybersecurity Incident FAQ. This will be a living document and includes additional information and responses to frequently asked questions.

How is Powerschool confident that the data has been deleted?

PowerSchool has shared that they engaged the services of CyberSteward, a company with expertise in negotiation with threat actors, and made a payment in exchange for the deletion of the data and assurances that no copies were made, including obtaining video of the digital destruction of the data. While it is reasonable, and perhaps advisable, to be skeptical, experts in the field have shared that cyber-extortionists do have a financial incentive to follow through on deleting data, so future victims are more likely to pay ransoms.  As an additional verification measure, PowerSchool has contracted on an ongoing basis with Crowdstrike for web and dark web monitoring of any potential future publishing or sale of the data.

Were Social Security numbers, credit cards, or other financial information accessed?

In the past, the Leicester Public Schools did store staff social security numbers . There are two current LPS staff members whose social security numbers were exposed. Those two staff members have been contacted directly. Additionally, there are 190 former LPS employees whose social security numbers were extracted. The 190 employees will be mailed a separate letter to their most recent address on file. If you are a former staff member who is no longer at the address that you lived at while working for the LPS, please fill out the Address Update Form linked here and at the bottom of the page. The Leicester Police Department has been notified. No credit cards or other financial information is stored within Powerschool. 

Was personal health information (PHI) or IEP/504 information accessed?

No medical records were included in the unauthorized access. Student medical and accommodation "alerts" in the system were accessed. Medical "alerts" are short text based alerts visible only to authorized staff of important medical information, such as a peanut allergy or seizure protocol. Student accommodation "alerts" are text based alerts visible to authorized staff to indicate an active Individual Education Plan (IEP) or 504 Plan and lists student accommodations. 

Is it safe to continue using PowerSchool SIS?

PowerSchool has assured all districts that the incident is no longer active and that the threat actor has no further access. Their and Crowdstrike's ongoing investigations have found no evidence of persistence in their systems by the threat actor. They have also taken steps to further secure their internal support resources and disable their internal maintenance tool that was used in the incident.

What other PowerSchool products does the district use? Were they compromised?

In addition to PowerSchool SIS, the district also uses Enrollment Express (used for registration) and Naviance. PowerSchool reports that their internal investigation and Crowstrike's ongoing investigation have found no evidence of unauthorized access to any of these systems, and that the internal support site that was accessed through the compromised credentials only had access to the SIS product.

How long did it take PowerSchool to notify the district of this incident?

PowerSchool learned of this incident on Saturday, December 28th. They notified Leicester Public Schools on Tuesday, January 7th at 2:10pm that an incident occurred.  We launched an investigation and notified staff and families the following day once we had verified the unauthorized access and identified the exfiltrated data.

Will PowerSchool be communicating directly with impacted individuals or providing any supports or services? (Updated 1/17/2025)

Powerschool has announced that they will be offering complimentary identity protection and credit monitoring through Experian to individuals whose information was involved in the incident as follows:

• Identity Protection: Powerschool will be offering two years of complimentary identity protection services for all students and educators whose information was involved.

• Credit Monitoring: Powerschool will also be offering two years of complimentary credit monitoring services for all students and educators whose information was involved. 

Powerschool has said they will be contacting individuals directly in the coming weeks regarding these services. When we have more specifics we will share them here. 

PowerSchool Communication to Districts on 3/10/2025:

Dear Valued Customer,

On January 7th, we shared that PowerSchool was the target of a cybersecurity incident that resulted in the exfiltration of data from the Students and Teachers tables for some PowerSchool SIS customers by an unauthorized user. We immediately took corrective measures necessary to contain the incident, began notifying relevant regulatory agencies on your behalf (where applicable) as well as students and educators whose data was involved, and provided credit and identity monitoring services to the individuals students and educators.

Today we are sharing closing updates on:

1. The final CrowdStrike Incident Report, which did not identify any new or concerning findings beyond what we have shared;

2. Our ongoing engagement with regulators in the United States and Canada;

3. The identity monitoring (and credit monitoring, as applicable) that PowerSchool continues to make available to all individuals involved, and

4. How PowerSchool has and will continue to strengthen our cybersecurity defenses as we connect the education community with the shared goal of helping students thrive through personalized education.

CrowdStrike Incident Report

Immediately after PowerSchool became aware of the incident, CrowdStrike was engaged to conduct an investigation into the incident. We made available a CrowdStrike interim fact sheet in mid-January, and with the investigation complete, are now sharing the final incident report.

CrowdStrike did not identify any new or concerning findings beyond what we already shared in the interim fact sheet. The report confirms:

• The Threat Actor accessed PowerSource, a community-focused customer support portal, using a single compromised credential.

• The Threat Actor’s activities were limited to exfiltration of select PowerSchool SIS instances of Students and Teachers tables.

• CrowdStrike’s Recon+ Intelligence service has not identified any evidence of this exfiltrated information available for sale or download.

• CrowdStrike found no evidence of system-layer access or malware associated with this incident.

• CrowdStrike found no other PowerSchool products were compromised.

• While the PowerSource environment experienced unauthorized activity prior to December, PowerSchool believes that the data exfiltration occurred in late December.

In addition to sharing here, we are posting CrowdStrike’s final incident report on our website and sharing it with regulators in the United States and Canada where appropriate. We encourage you to share this report with any stakeholders that you deem appropriate.

Regulator Notifications – United States & Canada

As we shared on January 27th and February 4th, PowerSchool filed notifications with applicable regulators across U.S. and Canadian jurisdictions (respectively) on behalf of impacted customers who did not opt out of our offer to do so. Our dialogue with regulators is ongoing. We plan to share the final CrowdStrike incident report and additional relevant details from our on-premise customers who opted to share their information with us.

Identity & Credit Monitoring Notifications

On January 17th, we announced that PowerSchool secured two years of complimentary identity protection for all students and educators involved where such services are available through Experian, regardless of whether an individual’s social security number was exfiltrated. We also made available two years of credit monitoring for involved students and educators in the United States and Canada who are eligible for credit monitoring services. To further support your communities with these resources, please note:

• Experian, our identity protection services provider, has sent email notifications on PowerSchool’s behalf (except those customer who opted out) to both current and former families and educators whose information was involved, and for whom we have available contact information. These notifications will continue as we process on-premise customer information.

• These individual notices are sent from an Experian company, CSIdentity whose domain includes @csid. Please contact your CSM or Support team leader if you have any questions. Neither PowerSchool nor Experian will ever ask you for personal information via email.

• You can share information regarding the available monitoring services to your communities using the form letters provided to you by PowerSchool or the information provided on PowerSchool’s website.

• Information on how to enroll in identity and credit monitoring is posted on PowerSchool’s website (for the U.S. and Canada). We encourage you and your communities to take advantage of the monitoring being offered.

• PowerSchool has extended the sign-up deadline for Experian’s services from May 31, 2025, to July 31, 2025.

Security Improvements and Hardening Measures Introduced

As part of our commitment to continuously strengthen security across the K-12 ecosystem, PowerSchool has taken significant steps to enhance our cybersecurity posture. To-date we have:

• Required that 100% of PowerSchool employees and contractors utilize SSO, MFA, VPN, and VDI for any hardware or resource that accesses customer data – including PowerSource;

• Invested in physical security measures including fingerprint and facial recognition authentication for all PowerSchool employees and contractors;

• Implemented rigorous technical audits of all access to customer data to validate and reinforce our security framework, including shortening the time-windows for authorized maintenance to reduce the risk of improper access; and,

• Limited the number of SIS instances a single account can log into during a 24-hour period.

In addition, we have taken proactive measures to reinforce our unwavering commitment to safeguarding student and educator data, including:

• Establishing a new Customer Security Advisory Council, which will provide a forum for in-depth security reviews, industry collaboration, and best practice sharing.

• Developing a security rubric to help districts assess not only PowerSchool’s security commitment but also their own infrastructure and third-party systems.

• Continuing our long-standing security protocols, including adherence to global standards (such as ISO 27100), product-level governance (including SOC II audits), and monitoring via our Security Operations Center, which currently maintains 24x7x365 coverage against cybersecurity threats. You can learn more about our security process and policies here.

We hope this update can begin to bring closure to this incident; please reach out to your CSM or Support contact with any additional questions or concerns. We are grateful for your partnership over the last several weeks and look forward to all that we can accomplish as we move forward—together.

Sincerely,

Hardeep Gulati

Chief Executive Officer, PowerSchool

Excerpt from PowerSchool Communication to Districts on 1/30/2025:

"Dear Valued Customers,

We sincerely appreciate your continued support as we respond to our recent cybersecurity incident. Since our last update, we have initiated the process of notifying involved individuals about the resources now available to them. As part of this process, we have posted a notice to our website. Credit monitoring and identity protection services are now activated and available.

In the coming weeks, Experian (on behalf of PowerSchool) will also be distributing direct email notifications to involved individuals for whom we have sufficient contact information. This email notice will include further information about the information of theirs involved and the resources PowerSchool is offering. Additionally, we have coordinated with Experian to set up a call center for your families and educators in case they have questions about these offerings.

As a reminder, PowerSchool is offering two years of complimentary identity protection services for all current and former students and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services for all adult students and educators whose information was determined to be involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.

We care deeply about keeping the students, families, and educators we support informed of this process. Please refer inquiring community members to the PowerSchool website for the latest information on the cybersecurity incident. "

Excerpt from PowerSchool Communication to Districts on 1/27/2025:

"In the coming days, PowerSchool will begin providing formal legal notice of the cybersecurity incident to current and former students (or their parent/guardians as applicable) and educators whose information was determined to be involved.  A direct email notification will be distributed by Experian on behalf of PowerSchool in the coming weeks to applicable current and former students (or their parent/guardians as applicable) and educators for whom we have sufficient contact information. Powerschool will also launch a website and distribute a media release to ensure we reach as many involved individuals as possible and provide them with resources to protect their information. Importantly, these notices will include instructions for involved individuals on how to enroll in the credit monitoring and identity protection services that are being offered by PowerSchool. "

LPS will post the information and link to the PowerSchool website as soon as we are notified. 

Letter to Families and Staff 1/8/2025

Dear Leicester School Community,

I am writing to inform you that we were recently notified there was a security breach in our student information system provider PowerSchool.  PowerSchool is a cloud based software supporting over 60 million students and 18,000 customers worldwide.  Technology Coordinator, Paul Miller, and members of the administration just attended a webinar from PowerSchool to learn more about this issue.

It is our understanding from PowerSchool that the issue has been contained.  PowerSchool will be sending more information and I will share the information as it is received.  At this time, they have informed us that no immediate action is required.  I will forward the information and keep you updated as I receive it.

The PowerSchool website is PowerSchool.com and they have informed me that they will be posting more information soon.  To date, it has not been posted. 

Superintendent Kustigian

kustigianb@lpsma.net

508-892-7040 x 9001

Letter for Families and Staff 1/10/2025

Dear Leicester School Community,

I am writing to give you an update on the PowerSchool situation.  Leicester Public Schools, and other schools across the nation, continue to wait for additional guidance from PowerSchool.  While PowerSchool has released general statements, school districts are looking for much more.  As I receive information, I will keep you updated.    

Superintendent Kustigian

kustigianb@lpsma.net

508-892-7040 x 9001

Letter for Families and Staff 1/13/2025

January 13, 2025

Dear Leicester School Community,

I am writing to provide you with an update on the PowerSchool data breach.  PowerSchool reports that the incident, which occurred in late December, is contained and not ongoing. The unauthorized access occurred through one of PowerSchool’s support platforms and they report that they have contained the incident and prevented further unauthorized access. 

 PowerSchool has shared that student, family, and staff information, such as names, contact information, and demographics were accessed. We have begun our own internal investigation and we believe that, specifically within Leicester Public Schools, the information that was accessed included student names, home addresses and phone numbers, demographic information, parent/guardian and emergency contact information, custodial information, medical “alerts” (for example a food allergy), and school operational information, such as grade, year of graduation, student ID numbers and usernames, home room, and participation in programs such as special education and EL services. 

The accessed staff information included names, contact information, home addresses and phone numbers, email addresses, staff ID numbers and usernames, and demographic information. No student assessment results, grades or academic data, report cards, full health records, IEPs, or records pertaining to attendance, discipline, or behavior were accessed. We do not currently store student or staff social security numbers or financial information in PowerSchool, and no password related information was accessed.

In the past, the Leicester Public Schools did store staff social security numbers.  There are two current LPS staff members whose social security numbers were exposed.  Those two staff members have been contacted directly.  Additionally, there are 190 former LPS employees who social security numbers were exposed.  The 190 employees will be mailed a separate letter to their most recent address on file.  The Leicester Police Department has been notified.      

PowerSchool has additionally stated that they do not anticipate the data that was accessed being shared or made public, and that they believe it has been deleted without any further replication or dissemination. We are seeking additional information from PowerSchool and we will continue to keep the community up to date.

Finally, LPS has set up a website to provide additional information and to communicate the latest information from PowerSchool.  Protecting student and staff information has been and will continue to be a central value of our district and we will do everything we can to keep you informed. The link for the website is below:

https://sites.google.com/lpsma.net/lpstechnology/powerschool-data-breach

Please let me know if you have questions or concerns.  

Thank you, 

Superintendent Kustigian

kustigianb@lpsma.net

Letter to Families and Staff 2/27/2025

Dear Leicester School Community,

I am writing to inform you that PowerSchool sent an email this morning about the cybersecurity incident offering free credit monitoring through Experian.  I have received numerous inquiries and I wanted to let you know that it is legit. 

PowerSchool is using Experian to offer free credit monitoring and identity theft protection services if you feel the need. Please be advised that no student social security numbers were exposed.

If you are a former student (from 2014 forward) or former staff member and did not receive the email, you can access more information regarding the breach and how to sign up for credit monitoring here: https://www.powerschool.com/.../notice-of-united-states.../

Please let me know if you have questions.    

Superintendent Kustigian

kustigianb@lpsma.net

508-892-7040 x 9001