by Holly Allen
PowerSchool – a cloud-based software vendor utilized by five of the six school districts in Jefferson County – recently experienced a cybersecurity incident involving unauthorized access to certain information in the Student Information System. According to their website, PowerSchool was alerted to the incident involving the unauthorized exportation of said personal information through a customer support portal, PowerSource, Dec. 28.
“PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers,” said a message on the site. “We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.”
The software is utilized by school districts as a portal to store and share information such as grades, fees, and disciplinary and enrollment information with parents and students, serving 60 million students across 18,000 schools worldwide.
The company said the breach, which apparently began Dec. 19 and ended nine days later, involved the downloading of “large amounts of data about students, schools, and families.”
PowerSchool also released an FAQ sheet accessible only to customers and plainly revealed that while the incident was not a ransomware attack, the company did pay a ransom to prevent the data from being released. The company stated that it had received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”
Types of information exfiltrated in the incident may have included one or more of the following: the individual’s name, contact information, date of birth, limited medical alert information, Social Security number, and other related information.
Administrators from unified school districts 338, 339, 341, and 342 all sent a similar response regarding who was affected by the breach — “at this time, PowerSchool has not shared with us which specific students, educators, or other individuals affiliated with our school district have been impacted.”
USD 343 Superintendent Josh Woodward posted a message which included the following additional information:
“USD 343 does not currently collect Social Security numbers as part of student or staff PowerSchool records. However, during our deep dive into all data from past years, we discovered that some Social Security numbers of former students and staff members were still stored in the PowerSchool system and was part of this breach. The students affected were from the years 2000 to 2007. The staff affected were from the years 2000 to 2017. All Social Security numbers have been removed from the USD 343 PowerSchool system now. If you were a student or staff member at USD 343 during this time span and would like to confirm whether your SSN was in the system at the time, please contact us at inquiries@usd343.org.”
All district superintendents encouraged patrons to visit https://www.powerschool.com/security/sis-incident/ for up-to-date information on the incident.
USD 340 Superintendent Brad Neuenswander advised the newspaper that the Jefferson West district does not contract with PowerSchool — the only district in the county to utilize an alternate software platform, Skyward, instead, and was therefore unaffected by this breach.
According to PowerSchool, two years of complimentary identity protection and credit monitoring services will be offered to all students and educators whose information was involved. PowerSchool reports it has engaged credit reporting agency Experian to provide these services.
Their website advises, “Starting in the next few weeks, PowerSchool will coordinate with Experian to provide notice on behalf of our customers to students (or their parents/guardians if the student is under 18) and educators whose information was exfiltrated from their PowerSchool SIS.”
Covering the communities in Jefferson County, Kansas
