Dear SPS Community:
Today, we were notified by PowerSchool, the student information system used by our District and many others across the country, of a cybersecurity incident affecting their systems. PowerSchool has informed us that this incident involves unauthorized access to their data systems nationwide.
We want to share what we know at this moment, given the potential significance and reach of this incident. At this time, PowerSchool has indicated this is a nationwide issue, but we are awaiting further clarification whether there is any local impact. PowerSchool has assured its customers that the incident has been contained, and there is no evidence of continued unauthorized activity.
This afternoon we will participate in a webinar hosted by PowerSchool’s senior executives, during which they will provide PowerSchool’s customers with more information about the incident and their response. We are committed to fully understanding the situation.
As soon as we have additional information from the webinar and further guidance from PowerSchool, we will provide you with an update. Our priority is to ensure transparency and to take any necessary steps to protect the information entrusted to our systems.
We understand the concern this may cause and appreciate your patience and understanding as we navigate this situation. Please know that we take the security of student and family data very seriously and will do everything we can to keep you informed.
Thank you for your attention, understanding, and support.
David Ljungberg, Superintendent
Stoneham Public Schools
January 10, 2025
Dear SPS Families and Staff:
As I previously communicated, on Tuesday, January 7 we were informed about a national/worldwide cybersecurity incident that occurred in late December involving our student information system (SIS) provider, PowerSchool. PowerSchool confirmed student and staff information from across the country and Canada had been accessed by an unauthorized user.
We engaged in a conference call with PowerSchool late afternoon on January 8 to get specific details about our data. We have confirmed the following:
The issue was caused by compromised credentials of a PowerSchool employee that allowed access to their national customer support platform.
The PowerSchool support platform is operated and managed by PowerSchool, not the Stoneham Public Schools.
Most of the information obtained was Directory information. Directory information includes names, addresses, and emails that are not protected by state and federal student records laws and regulations.
Our Technology staff was able to audit our internal records and located the specific files that were accessed. Our own internal assessment found that, in addition to the Directory information for all students and staff previously disclosed, there were specific instances where sensitive student information was accessed that is protected by state and federal student records laws and regulations. There was no protected staff information disclosed.
Specifically, our team identified the following instances of protected student information of current and former students having been disclosed:
Medical Alerts: Current students that have a medical condition have an alert placed in PowerSchool. The alert does not specify what the actual medical condition is. The alert simply says "see nurse." These alerts are used so that staff know they should see the school nurse for specififc medical information, such as for a life-threatening food allergy.
Custody and Court-related Alerts: Some students who have a custody alert, include information such as custody agreements, restraining orders, and other legal information which stipulate how our schools may communicate with families.
If your child had protected information noted above that was compromised as part of this data breach, we will notify you early next week of the specific category of information through a separate email. This email will be specific to your child and provide contact information in the event you want to follow up directly with school staff.
Please know that as a practice we do not collect certain sensitive information such as social security numbers or immigration status, so this information is not part of our information systems. Additionally, most of a student’s medical information is kept separately in a secured system outside of PowerSchool.
PowerSchool has reported that they have taken measures to curtail further breaches.
What action you need to take: All staff and families should reset their passwords for added account security. User passwords were not part of the data compromised in the breach; however, out of an abundance of caution, we are requesting that all staff and families reset their passwords for their PowerSchool accounts. To reset your password, log in to the portal, select account preferences, and edit your password:
This news and the delay in which the security breach was reported to us are extremely concerning. Our goal in this process has been to address the issue with the greatest transparency possible.
Sincerely,
David Ljungberg
Superintendent of Schools
PowerSchool has shared that they engaged the services of CyberSteward, a company with expertise in negotiation with threat actors, and made a payment in exchange for the deletion of the data and assurances that no copies were made, including obtaining video of the digital destruction of the data. While it is reasonable, and perhaps advisable, to be skeptical, experts in the field have shared that cyber-extortionists do have a financial incentive to follow through on deleting data, so future victims are more likely to pay ransoms. As an additional verification measure, PowerSchool has contracted on an ongoing basis with Crowdstrike for web and dark web monitoring of any potential future publishing or sale of the data.
PowerSchool has engaged with CrowdStrike, a leading cybersecurity organization, to conduct a forensic analysis of event logs during the unauthorized access period. They will provide updates if new information becomes available. However, PowerSchool does not feel any backdoor access was created.
Notice from PowerSchool on 1/29/25:
Dear Valued Customers,
We sincerely appreciate your continued support as we respond to our recent cybersecurity incident. Since our last update, we have initiated the process of notifying involved individuals about the resources now available to them. As part of this process, we have posted a notice to our website. Credit monitoring and identity protection services are now activated and available.
In the coming weeks, Experian (on behalf of PowerSchool) will also be distributing direct email notifications to involved individuals for whom we have sufficient contact information. This email notice will include further information about the information of theirs involved and the resources PowerSchool is offering. Additionally, we have coordinated with Experian to set up a call center for your families and educators in case they have questions about these offerings.
As a reminder, PowerSchool is offering two years of complimentary identity protection services for all current and former students and educators whose information was determined to be involved. We are also offering two years of complimentary credit monitoring services for all adult students and educators whose information was determined to be involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.
We care deeply about keeping the students, families, and educators we support informed of this process. Please refer inquiring community members to the PowerSchool website for the latest information on the cybersecurity incident. To further support our districts and schools, PowerSchool has prepared template communications for your adapted use in conversation with families and educators as you see fit. The emails included below this message provide an update to both groups regarding the notification process and services PowerSchool is offering to involved individuals.
Thank you for your partnership in supporting this process and the trust you have placed in our response. We acknowledge the significance of this incident and are committed to emerging from it stronger and better equipped to serve you and the communities we share.
Sincerely,
Hardeep Gulati
Chief Executive Officer, PowerSchool