By DAN TOMASELLO
LYNNFIELD — The School Department’s system provider for local students’ and staff members’ information, PowerSchool, was targeted in a cybersecurity data breach last month.
PowerSchool Chief Executive Officer Hardeep Gulati and Chief Customer Officer Paul Brook stated in a letter sent to school districts including Lynnfield Public Schools and Wakefield Public Schools that, “On Dec. 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource.”
“Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (SIS) customer data using a compromised credential, and we regret to inform you that your data was accessed,” Gulati and Brook stated in the letter.
Educational Technology Department Head Rochelle Cooper and Superintendent Tom Geary stated in a Jan. 8 letter sent to families that PowerSchool did not notify school districts until Tuesday, Jan. 7.
“PowerSchool, the platform we rely on for our Student Information System (SIS), learned of a potential breach involving unauthorized access through PowerSource, their customer support portal,” Cooper and Geary wrote. “This issue has impacted PowerSchool customers worldwide.”
Cooper and Geary wrote that school officials are working with PowerSchool in order to “gather information about how members of our school community have been directly impacted.”
“It is confirmed that no Social Security numbers nor financial data were involved, as LPS does not collect Social Security numbers within PowerSchool SIS,” Cooper and Geary stated.
After learning about the incident, Cooper and Geary wrote that, “PowerSchool took action by initiating their cybersecurity response protocols.”
“They engaged a cross-functional team, including senior leadership and third-party cybersecurity experts, to investigate the breach,” Cooper and Geary wrote. “Additionally, law enforcement has been notified and is involved in the ongoing response. Specific details about impacted individuals and the services available to them will be shared with us in the coming days.”
Cooper and Geary stated that they understand families “may have questions or concerns about this incident.”
“We are committed to keeping you informed as we receive more information,” Cooper and Geary stated. “We greatly appreciate your understanding and continued support as we work through this matter to ensure the safety and security of all LPS community members.”
Geary informed the Villager in an email that staff members’ “names, addresses, phone numbers and emergency contacts are included in PowerSchool.”
“Beyond that we don’t have additional information,” Geary stated. “We are waiting for more details on the situation from PowerSchool.”
Gulati and Brook stated in their letter that, “Importantly, the incident is contained.
“We have no evidence of malware or continued unauthorized activity in the PowerSchool environment,” Gulati and Brook wrote. “PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.”
Gulati and Brook stated that PowerSchool has “taken all appropriate steps to prevent the data involved from further unauthorized access or misuse.”
“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” Gulati and Brook stated.
“We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”
Gulati and Brook stated in their letter that, “PowerSchool is committed to working diligently with customers to communicate with your educators, families and other stakeholders.”
“We are equipped to conduct a thorough notification process to all impacted individuals,” Gulati and Brook stated. “Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process.”
Gulati and Brook wrote that PowerSchool has “taken all appropriate steps to further prevent the exposure of information affected by this incident.”
“While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations,” Gulati and Brook wrote. “The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.”
Gulati and Brook stated that PowerSchool will be “holding webinars with senior leaders, including our chief information security officer, to address additional concerns.”
“We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together,” Gulati and Brook stated. “Thank you for your continued support and partnership.”
Wakefield Public Schools Technology Director John Weiner criticized PowerSchool for waiting 10 days before notifying school districts about the cybersecurity data breach.
“This news, and the delay in which it was reported to us by PowerSchool, is extremely concerning,” Weiner stated in a letter sent to Wakefield families.
