PowerSchool Data Breach Response

PowerSchool is the largest provider of software solutions to K-12 schools in the United States, and their core product is the PowerSchool Student Information System (SIS).  All school districts use an SIS, and in Massachusetts PowerSchool is one of five SIS on the state-wide purchasing contract that is certified for state reporting. All districts are required to have an SIS certified for state reporting and PowerSchool is one of, if not the, most widely used in the state.

Along with many of our neighboring districts, Lincoln Public Schools uses PowerSchool SIS. LPS also uses PowerSchool’s SchoolMessenger, Unified Talent, and Enrollment (including registration and annual forms) products. However, PowerSchool reports those products were not impacted by this incident.

Based on the preliminary information that PowerSchool has provided, in late December a compromised credential was used by a threat actor to gain access to PowerSchool’s internal support tools. On December 22nd, the threat actor used an internal maintenance tool to gain unauthorized access to student and staff data in PowerSchool SIS.

On December 28th, PowerSchool was made aware of the incident, began an immediate investigation with both internal resources and third-party cybersecurity experts, and informed law enforcement. Powerschool reports that the incident is now contained and there is no evidence of further unauthorized activity. Crowdstrike is performing an investigation and a full incident report is expected by January 17th.

PowerSchool also engaged the services of CyberSteward, a firm that negotiates with threat actors. While we do not have specifics of the negotiation that occurred, PowerSchool has stated that in exchange for payment they have received reasonable assurances from the threat actor that the data was deleted, including video showing the electronic destruction of the stolen data, and that no additional copies exist. PowerSchool’s senior leadership has stated that they are confident the data will not be made public.

On January 7th, PowerSchool informed districts of the incident in email. Lincoln Public Schools began an internal investigation immediately and confirmed that unauthorized access to our district’s data occurred on December 22nd. After verifying that unauthorized access to our data had occurred, we informed families and staff on January 8th.

PowerSchool has reported that the unauthorized access was limited to the data fields in two database tables in PowerSchool SIS, and our internal investigation is consistent with this finding. The data that was accessed will vary by district due to differences in data collection practices.

In the Westerly Public Schools specifically, the information that was accessed included student names, home addresses and phone numbers, demographic information, parent/guardian and emergency contact information, custodial information for some students, contact information for physicians, medical “alerts” (for example a food allergy), and school operational information, such as grade, year of graduation, student ID numbers and usernames, home room, bus numbers, and participation in programs such as special education and EL services. 

The accessed staff information included names, contact information, home addresses and phone numbers, email addresses, staff ID numbers and usernames, and demographic information. 

We do not believe that any student assessment results, grades or academic data, report cards, full health records, IEPs, or records pertaining to attendance, discipline, or behavior were accessed. We do not store student or staff Social Security numbers or financial information in PowerSchool SIS, and no password related information was accessed.

Upon being notified by PowerSchool we immediately launched an internal, and ongoing, investigation. Based on the indicators of compromise that were shared, we were able to verify that the reported unauthorized access occurred and we have found no evidence of further unauthorized access. We continue to monitor and investigate and are also awaiting further information from PowerSchool and the Crowdstrike incident report expected in mid-January.  We will be closely analyzing all of this information, and we will share information with families and staff after the incident report is released.

Cybersecurity, in general, has been an ongoing focus of the district. Some of the key steps we have taken in recent years include moving all user devices to full disk encryption, implementing multi-factor authentication, upgrading our endpoint protection and perimeter firewalls, and providing annual cybersecurity awareness training. We also have participated in state and federal cybersecurity grant programs both independently and in partnership with the town's municipal IT department. This is ongoing work and will continue to be an area of focus moving forward. While the focus of Crowdstrike’s incident report will surely be on the threat actor and PowerSchool, we will be closely analyzing this incident to inform our planning and future initiatives and how we can improve our security posture.

Westerly Public Schools partners with other privacy-focused districts in the Student Data Privacy Alliance (SDPA) to negotiate data processing agreements with software vendors and an agreement is in place with PowerSchool. The SDPA is aware of this incident and is engaging with PowerSchool regarding their contractual obligations under the agreement.

We are committed to ongoing and transparent communication regarding this incident. We will continue working with PowerSchool to understand the ongoing investigation and response, and will share any relevant information as it becomes available.  We have also started a PowerSchool Cybersecurity Incident FAQ. This will be a living document and includes additional information and responses to frequently asked questions.

PowerSchool has shared that they engaged the services of CyberSteward, a company with expertise in negotiation with threat actors, and made a payment in exchange for the deletion of the data and assurances that no copies were made, including obtaining video of the digital destruction of the data. While it is reasonable, and perhaps advisable, to be skeptical, experts in the field have shared that cyber-extortionists do have a financial incentive to follow through on deleting data, so future victims are more likely to pay ransoms.  As an additional verification measure, PowerSchool has contracted on an ongoing basis with Crowdstrike for web and dark web monitoring of any potential future publishing or sale of the data.

No. As part of our data minimization practices, we do not store Social Security numbers, credit cards, or financial information in PowerSchool SIS.

No medical records were included in the unauthorized access. The names and phone numbers of physicians related to students were included as were medical "alerts" in the system. Medical "alerts" are short text alerts to staff of important medical information, such as a peanut allergy.

PowerSchool has assured all districts that the incident is no longer active and that the threat actor has no further access. Their and Crowdstrike's ongoing investigations have found no evidence of persistence in their systems by the threat actor. They have also taken steps to further secure their internal support resources and disable their internal maintenance tool that was used in the incident.

In addition to PowerSchool SIS, the district also uses SchoolMessenger, UnifiedTalent, and Enrollment (used for registration and annual forms). PowerSchool reports that their internal investigation and Crowstrike's ongoing investigation have found no evidence of unauthorized access to any of these systems, and that the internal support site that was accessed through the compromised credentials only had access to the SIS product.

PowerSchool learned of this incident on Saturday, December 28th. They notified Westerly Public Schools on Tuesday, January 7th at 2:10pm that an incident occurred.  We launched an investigation and notified staff and families the following day once we had verified the unauthorized access and identified the exfiltrated data.

We partner with other privacy-focused districts in the Student Data Privacy Alliance (SDPA) to negotiate data processing agreements with software vendors, and we have an agreement in place with Powerschool that requires notification within 5 days, a standard that PowerSchool did not meet. The SDPA's legal counsel is already in communication with PowerSchool about this.

We are awaiting expected information from PowerSchool and as soon as we know more we will share it with families and staff.