An Exerpt from the initial email sent to PowerSchool customers:

January 7, 2025

Dear Valued Customer,

As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.

Please review the following information and be sure to share this with relevant security individuals at your organization.

As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.

We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.

Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.

Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.

We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.

~~~~~~~~~~

We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together.

Thank you for your continued support and partnership.

Sincerely,

Hardeep Gulati

Chief Executive Officer

Paul Brook

Chief Customer Officer

cc: Mishka McCowan

Chief Information Security Officer

We attended PowerSchool's live CyberSecurity Incident Overview, where the leaders of PowerSchool walked us through what happened, the containment and remediation as well as the data impact.  They let us know that more information would be forthcoming, including data specific to our district, what will be provided to those affected by the exposure and what we can expect moving forward. 

Dear PowerSchool SIS Customer,

Thank you for your continued patience and partnership as we address the recent cybersecurity incident. Over the last few weeks, we have been focused on assessing the scope of data involved, making further enhancements to our cybersecurity defenses, and developing a plan to help you and our shared community.

As a PowerSchool SIS customer whose information was involved, I am writing to provide you with updates on several important next steps:

Identity Protection and Credit Monitoring Services: PowerSchool has engaged Experian a trusted credit reporting agency, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.

• Identity Protection: PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved.

• Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved.

Notifications: Starting in the next few weeks, PowerSchool will be handling notifications to involved individuals and relevant state attorney general offices on your behalf. We hope to relieve the burden of these notifications on you and your institution. You may opt out if you would prefer to notify directly.

• Community: PowerSchool will coordinate with Experian to provide notice on your behalf to students (or their parents / guardians if the student is under 18) and educators, as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).

• Regulatory: PowerSchool will provide notification on your behalf to relevant state attorney general offices. You may also have notification requirements with your state’s Department of Education where required. Since many customers have already notified and are in close contact with their state’s Department of Education, PowerSchool will defer to you on these notifications.

In this LINK you will find a fact sheet with additional details on these steps and the incident, a template that we intend to use to notify individuals whose information was involved, and a proposed communication that you may choose to share with families and educators to keep them informed on these steps. We are providing this communication package to technical contacts listed by your organization with PowerSchool. Please forward as appropriate to relevant leaders in your organization.

I sincerely value the trust you have placed in PowerSchool. We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving you and our shared community.

We appreciate all that you are doing to support families and educators through this process.

Sincerely,

Hardeep Gulati

Chief Executive Officer, PowerSchool

Dear Valued Customers,

We sincerely appreciate your continued support as we respond to our recent cybersecurity incident. Since our last update, we have initiated the process of notifying involved individuals about the resources now available to them. As part of this process, we have posted a notice to our website. Credit monitoring and identity protection services are now activated and available.

In the coming weeks, Experian (on behalf of PowerSchool) will also be distributing direct email notifications to involved individuals for whom we have sufficient contact information. This email notice will include further information about the information of theirs involved and the resources PowerSchool is offering. Additionally, we have coordinated with Experian to set up a call center for your families and educators in case they have questions about these offerings.

As a reminder, PowerSchool is offering two years of complimentary identity protection services for all current and former students and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services for all adult students and educators whose information was determined to be involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.

We care deeply about keeping the students, families, and educators we support informed of this process. Please refer inquiring community members to the PowerSchool website for the latest information on the cybersecurity incident. To further support our districts and schools, PowerSchool has prepared template communications for your adapted use in conversation with families and educators as you see fit. The emails included below this message provide an update to both groups regarding the notification process and services PowerSchool is offering to involved individuals.

Thank you for your partnership in supporting this process and the trust you have placed in our response. We acknowledge the significance of this incident and are committed to emerging from it stronger and better equipped to serve you and the communities we share.

Sincerely,

Hardeep Gulati

Chief Executive Officer, PowerSchool

Dear Valued Customers:

We are writing to inform you of a recent development related to the cybersecurity incident PowerSchool experienced in December 2024.

PowerSchool recently became aware that a threat actor has reached out to some PowerSchool SIS customers in an attempt to extort them using data from the previously reported December 2024 incident. We do not believe this is a new incident, but we wanted our customers to be informed, nonetheless.

As you all are likely aware, in the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, which our leadership team did not make lightly. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.

In light of this, I want to take a moment to remind you all that following the December 2024 incident, PowerSchool also offered and made widely available credit monitoring and identity protection services for a period of two years to students and faculty of our PowerSchool SIS customers, regardless of whether they were individually involved. We encourage you all to take this opportunity to remind your communities that these services are still available. If you choose to send an update to your families and educators, we have included a suggested message for you to send below.

As a reminder, information about credit monitoring and identity protection services and enrollment can be found on our website:

• For customers in the U.S.: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/
  
  

• For customers in Canada: https://www.powerschool.com/security/sis-incident/notice-of-canada-data-breach/

We sincerely regret the occurrence of the 2024 incident. We will continue supporting our valued customers and law enforcement as we work through this together. If you have any questions or concerns, please don’t hesitate to reach out to your CSM.

Sincerely,
Hardeep Gulati
Chief Executive Officer, PowerSchool

January 8, 2025

Dear Families and Staff,

PowerSchool, the student information system provider used by our district and many others nationwide, has notified us of a cybersecurity incident that has affected their systems. PowerSchool has informed us that this incident involved unauthorized access to their data systems nationwide.

Given this incident's potential significance and reach, we want to share what we know now. PowerSchool has confirmed this is a nationwide issue, and we confirmed our data was compromised. They have assured us that the incident has been contained, and there is no evidence of continued unauthorized activity.

Later today, we will participate in a webinar hosted by PowerSchool’s senior executives, who will provide us with more information about the incident and their response. We are fully committed to understanding the situation and will share any new information shared with us as soon as possible. Our priority is to ensure transparency and take any necessary steps to protect the information entrusted to our systems.

We understand and share the concern this may cause and appreciate your patience and understanding as we navigate this situation. Please know that we consider the security of student and family data a top priority.

Thank you for your attention, understanding, and support.

Sincerely,

Dr. Thomson

Interim Superintendent of Schools

January 9, 2025

Dear Families and Staff,

After attending the virtual meeting with PowerSchool, I wanted to share the following update regarding the recent cybersecurity breach.

PowerSchool has taken steps to ensure that the stolen data will not be publicly shared or used maliciously. This is based on the belief that the people responsible are a sophisticated criminal “business” that must be reputable to function in cybercriminal activities. This is PowerSchool's position and does not represent our view on the matter.

We will continue working closely with PowerSchool as they fulfill their ethical and legal obligations to all affected by the breach. This will likely include necessary reporting and assistance. PowerSchool has also shared details on additional measures that will be used to prevent future breaches of its systems.

We share the above as an update, fully acknowledging that work continues on both PowerSchool and our part. We will continue to reach out to you as more information becomes available.

Sincerely,

Dr. Thomson

Dear Families and staff–

I am writing to update you on the recent cybersecurity incident involving PowerSchool, a software vendor that provides our Student Information System (SIS).

PowerSchool confirmed with us the specific data fields that were compromised. We are in the process of identifying the personally identifiable information (PII) in our system. Across their customer base, they have determined that for a portion of individuals, some personally identifiable information (PII), such as social security numbers (SSN) and medical information, was impacted. They are urgently working to complete their investigation and determine whether PII belonging to our students was included.

Protecting our students and staff's personal information is something we take seriously. With PowerSchool’s help, more information and resources (including credit monitoring or identity protection services, if applicable) will be provided to you as they become available.

Thank you for your patience and understanding. We will endeavor to continue to keep you informed.

Sincerely,

Dr. Thomson

PowerSchool Cybersecurity Incident

Good Evening,

Many of you have received or will shortly receive an email directly from our student information system provider, Power School, providing you with information about enrolling in free credit monitoring. Please know that this is a valid email and offer. We have added this information to our webpage dedicated to this incident to make it easier.

https://sites.google.com/mpspk12.org/powerschool-sis-data-breach/home

Although Power School did pay to ensure your data was not released, credit and personal information monitoring is a good option in today's environment of cyber security leaks.

We will continue to make sure you have the relevant information about this incident.

Sincerely,

Dr. Thomson

Important Update Regarding PowerSchool Data Security

Dear families and educators of the Mashpee community:

We were notified yesterday of a recent development related to the cybersecurity incident PowerSchool experienced in December 2024. In our commitment to transparency we are sharing their communication to us below:

PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident. PowerSchool does not believe this is a new incident.

Please know PowerSchool is taking this situation very seriously. PowerSchool has informed us they are working with cybersecurity experts to thoroughly assess this development and have reported it to law enforcement in both Canada and the United States.

As a reminder, following that incident PowerSchool also offered and made widely available credit monitoring and identity protection services for a period of two years to students and faculty in Mashpee regardless of whether they were individually involved. We encourage all those who were offered these services to take advantage of them:

• For individuals in the U.S.: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/

• For individuals in Canada: https://www.powerschool.com/security/sis-incident/notice-of-canada-data-breach/

As was reported earlier this year, PowerSchool made the decision to pay a ransom because they believed it to be in the best interest of their customers and the students and communities they serve. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided PowerSchool. We want to assure everyone that as of this writing we have not been contacted by the threat actors and no extortion threats have been made to our district. We will keep you informed if the situation changes and remain committed to working closely with PowerSchool and law enforcement to provide support in any way we can.

Sincerely,

Suzy Brooks,

Director of Instructional Technology