PowerSchool Data Breach Information

Dear families and staff:

As was previously communicated, PowerSchool recently experienced a cybersecurity incident involving unauthorized access to certain information in the PowerSchool Student Information System (SIS).  We are reaching out to share more information and next steps that we recently received directly from PowerSchool:

• Notification to Individuals Involved: Starting in the next few weeks, in collaboration with Experian, PowerSchool will provide notice to students (or their parents / guardians if the student is under 18) and staff whose information was involved, as well as a phone number to answer any questions you may have about the incident. The notice will include information about signing up for identity protection and credit monitoring services.

• As soon as PowerSchool learned of the incident, they engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. PowerSchool is not aware of any identity theft attributable to this incident.

I encourage you to visit https://www.powerschool.com/security/sis-incident/ for up-to-date information on the cybersecurity incident. If you have any further questions feel free to contact us by emailing databreach@ssvotech.org or calling the school at 781-878-8822.

Regards,

Crystal Paluzzi

Director of Technology

The following message was sent to families and staff on Wednesday, January 8th 2025 via Blackboard

Hello SST Families & Staff,

As you are likely aware, our Student Information System is called PowerSchool.  Yesterday afternoon the company that runs PowerSchool informed users around the world via email that they suffered a data breach.  We are eager to learn more about this situation and any impacts. We do not store student or staff Social Security numbers in PowerSchool, but there is other protected data.  PowerSchool is running an informational webinar this afternoon to update users and our IT Department will participate in the webinar. We will share updates as information becomes available. 

Sincerely,

Tom Hickey

Superintendent-Director

On January 7, 2025, SST was notified by PowerSchool, the largest provider of cloud-based education software for K-12 education in the U.S., about a widespread internal data breach. This breach affected school districts nationwide, including SST. Unfortunately, the breach resulted in the disclosure of personally identifiable information (PII) of students and staff to an unauthorized third party.

PowerSchool stated that a support contractor’s login account was compromised which allowed authorized access into many of their clients’ data systems.

PowerSchool became aware of the breach on December 28, 2024, when the attackers contacted them with an extortion demand in exchange for destroying the stolen data.  SST was notified of the breach on January 7, 2025.  After investigation, it was learned that our data was accessed on December 22, 2024.

PowerSchool, along with federal law enforcement and independent third party CyberSecurity experts, have stated that they are confident that the data was destroyed and that they do not anticipate the data being shared or made public.

Two tables from within PowerSchool SIS were exported:  "Students_export.csv" and "Teachers_export.csv".  From reviewing available log data, we were able to reconstruct the fields exported by the unauthorized user.  Most of the information obtained was Directory information.  Directory information includes names, addresses, and emails that are not protected by state and federal student records laws and regulations.

While most of the compromised data was directory information, our review revealed that there were some student medical alert and custody/court-related alert data compromised.  Medical alerts include only information necessary to ensure student safety, such as life-threatening allergies. Custody and Court-Related alerts include limited information indicating where there is a custody arrangement or a restraining order. There is no student Social Security number information in PowerSchool.

No medical records were compromised, as they are stored in a separate system.  However, some medical alerts related to students were disclosed.  Medical alerts are limited to information to insure student safety, such as life-threatening allergies.

Students:  Social Security numbers are not stored in PowerSchool SIS, so no student Social Security numbers were disclosed.

Staff:  Staff Social Security numbers were stored in PowerSchool in the past.  With the exception of 1 individual, no current staff Social Security numbers were exposed.  The one current staff, and any affected former staff members whose Social Security Numbers were exposed, have been contacted directly. 

PowerSchool has engaged with leading Cybersecurity organizations as well as law enforcement to conduct extensive forensic analysis of this event.  The determination is that PowerSchool is safe to use and there is no ongoing threat.  No Passwords were compromised and no data was tampered with.  Based on this information there are no restrictions on the use of the software by either students or staff.

We are continually reveiwing all of our digital systems to ensure they are as secure as possible.  This data breach was outside of our control, as it affected servers owned and operated by PowerSchool.  By instituting internal protocols such as Account and log audits and multi-factor Authentication we strive to maintain the highest level of security possible.

PowerSchool will be required to provide these services to certain individuals depending on the PII that was exposed.  We are currently awaiting additional information regarding these services.