Based on the preliminary information that PowerSchool provided, in late December a compromised credential was used by a threat actor to gain access to PowerSchool’s internal support tools. On December 22nd, the threat actor used an internal maintenance tool to gain unauthorized access to student and staff data in PowerSchool SIS.

On December 28th, PowerSchool was made aware of the incident, began an immediate investigation with both internal resources and third-party cybersecurity experts, and informed law enforcement. Powerschool reports that the incident is now contained and there is no evidence of further unauthorized activity. Crowdstrike is performing an investigation and a full incident report is expected by January 17th.

PowerSchool also engaged the services of CyberSteward, a firm that negotiates with threat actors. While we do not have specifics of the negotiation that occurred, PowerSchool has stated that in exchange for payment they have received reasonable assurances from the threat actor that the data was deleted, including video showing the electronic destruction of the stolen data, and that no additional copies exist. In a live webinar we attended on January 8th, PowerSchool’s senior leadership stated they are confident the data will not be made public.

On January 7th, PowerSchool informed districts of the incident in an email. Mashpee Public Schools began an internal investigation immediately and confirmed that unauthorized access to our district’s data occurred on December 22nd. After verifying that unauthorized access to our data had occurred, we informed families and staff on January 8th.

Unauthorized access to our district’s data occurred on December 22, 2024.

PowerSchool became aware of the breach on December 28, 2024, when the attackers (Threat Actor) contacted them with an extortion demand in exchange for destroying the stolen data.

PowerSchool notified the District of the breach on January 7, 2025, at approximately 2:00 p.m., via email.

PowerSchool confirmed that they initiated their cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts as well as law enforcement.  PowerSchool has shared that they engaged the services of CyberSteward, a company with expertise in negotiation with threat actors, and made a payment in exchange for the deletion of the data and assurances that no copies were made, including obtaining video of the digital destruction of the data. 

While it is reasonable, and perhaps advisable, to be skeptical, experts in the field have shared that cyber-extortionists do have a financial incentive to follow through on deleting data, so future victims are more likely to pay ransoms.  As an additional verification measure, PowerSchool has contracted on an ongoing basis with Crowdstrike for web and dark web monitoring of any potential future publishing or sale of the data.

Yes. In addition to PowerSchool SIS, the district also uses SchoolSpring, UnifiedTalent, and Enrollment (used for registration and annual forms). PowerSchool reports that their internal investigation and Crowstrike's ongoing investigation have found no evidence of unauthorized access to any of these separate systems, and the internal support site that was accessed through the compromised credentials only had access to the SIS product.

PowerSchool has informed us that they have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. They do not anticipate the data being shared or made public, and believe it has been deleted without any further replication or dissemination.  They have a video confirming deletion and are actively searching the dark web to confirm. and PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.

Two tables from within PowerSchool SIS were exported: “Students_export.csv” and “Teachers_export.csv”. From reviewing available log data, we were able to reconstruct the fields exported by the unauthorized user.  Some of these fields may include information such as name, address, phone, birthdates, SSN, graduation year, and other private PII for both present and past students and teachers.

No medical records were compromised, as they are stored in a separate system. However, some medical alerts and physician information related to students were disclosed.

We are currently awaiting additional information regarding this. PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. 

Upon being notified by PowerSchool The Mashpee Public Schools Leadership and Technology teams immediately launched an internal, and ongoing, investigation. Based on the indicators of compromise that were shared, we were able to verify that the reported unauthorized access occurred and we have found no evidence of further unauthorized access. We continue to monitor and investigate and are also awaiting further information from PowerSchool and the Crowdstrike incident report expected in mid-January.  We will be closely analyzing all of this information, and we will share information with families and staff after the incident report is released. We continue to monitor the situation in any way possible so we can provide the information and support our students and teachers need.

While the focus of Crowdstrike’s incident report will surely be on the threat actor and PowerSchool, we will be closely analyzing this incident to inform our planning and future initiatives and how we can improve our security posture.  Additionally, Mashpee Public Schools partners with other privacy-focused districts in the Student Data Privacy Alliance (SDPA) to negotiate data processing agreements with software vendors like PowerSchool. The SDPA is aware of this incident and is engaging with PowerSchool regarding their contractual obligations under the agreement.

We are committed to ongoing and transparent communication regarding this incident. We will continue working with PowerSchool to understand the ongoing investigation and response, and will share any relevant information as it becomes available.

At this time, Mashpee Public Schools has not be contacted in this way.  PowerSchool reported to districts that some have been contacted by what they believe to be the original threat actor from December of 2024, trying to extort them.  This is frustrating because the whole reason PowerSchool paid the ransom initially (and viewed what they believed to be evidence) was because they were assured by the threat actor that the data was being destroyed.  PowerSchool and Law Enforcement are involved in this ever-evolving investigation and will share more information with their customers as they receive it. Just to reiterate, Mashpee is not one of the districts who have had this issue.