-
PowerSchool Cybersecurity Incident
Parents, Caregivers, and Staff,
On Wednesday, January 8th, we shared with families and staff via email that PowerSchool had notified us that they had experienced a cybersecurity incident that resulted in unauthorized access to student and staff data. This incident is deeply concerning to us and we are committed to being transparent and timely in our communication to you. We will continue to share information with you directly and publish our ongoing communication and answers to frequently asked questions on this web page.
This incident is profoundly troubling. While PowerSchool has expressed confidence that the data will never be made public, it is hard not to be skeptical and to be left with a feeling of uncertainty. The district has long placed a priority on data security and protecting student and staff information and PowerSchool’s compromise undermines these efforts. We can assure you that we will continue to investigate and monitor this incident, share all relevant information as soon as it becomes available, and take any additional actions necessary to protect the information you have entrusted to us. If you have any questions, please reach out to Rob Ford at rford@lincnet.org.
Incident Details and Timeline
-
Background
PowerSchool is the largest provider of software solutions to K-12 schools in the United States, and their core product is the PowerSchool Student Information System (SIS). All school districts use an SIS, and in Massachusetts PowerSchool is one of five SIS on the state-wide purchasing contract that is certified for state reporting. All districts are required to have an SIS certified for state reporting and PowerSchool is one of, if not the, most widely used in the state.
Along with many of our neighboring districts, Lincoln Public Schools uses PowerSchool SIS. LPS also uses PowerSchool’s SchoolMessenger, Unified Talent, and Enrollment (including registration and annual forms) products. However, PowerSchool reports those products were not impacted by this incident.
-
What Happened?
Based on the preliminary information that PowerSchool has provided, in late December a compromised credential was used by a threat actor to gain access to PowerSchool’s internal support tools. On December 22nd, the threat actor used an internal maintenance tool to gain unauthorized access to student and staff data in PowerSchool SIS.
On December 28th, PowerSchool was made aware of the incident, began an immediate investigation with both internal resources and third-party cybersecurity experts, and informed law enforcement. Powerschool reports that the incident is now contained and there is no evidence of further unauthorized activity. Crowdstrike is performing an investigation and a full incident report is expected by January 17th.
PowerSchool also engaged the services of CyberSteward, a firm that negotiates with threat actors. While we do not have specifics of the negotiation that occurred, PowerSchool has stated that in exchange for payment they have received reasonable assurances from the threat actor that the data was deleted, including video showing the electronic destruction of the stolen data, and that no additional copies exist. PowerSchool’s senior leadership has stated that they are confident the data will not be made public.
On January 7th, PowerSchool informed districts of the incident in email. Lincoln Public Schools began an internal investigation immediately and confirmed that unauthorized access to our district’s data occurred on December 22nd. After verifying that unauthorized access to our data had occurred, we informed families and staff on January 8th.
-
What Data Was Accessed?
PowerSchool has reported that the unauthorized access was limited to the data fields in two database tables in PowerSchool SIS, and our internal investigation is consistent with this finding. The data that was accessed will vary by district due to differences in data collection practices.
In the Lincoln Public Schools specifically, the information that was accessed included student names, home addresses and phone numbers, demographic information, parent/guardian and emergency contact information, custodial information for some students, contact information for physicians, medical “alerts” (for example a food allergy), and school operational information, such as grade, year of graduation, student ID numbers and usernames, home room, bus numbers, and participation in programs such as special education and EL services.
The accessed staff information included names, contact information, home addresses and phone numbers, email addresses, staff ID numbers and usernames, and demographic information.
We do not believe that any student assessment results, grades or academic data, report cards, full health records, IEPs, or records pertaining to attendance, discipline, or behavior were accessed. We do not store student or staff Social Security numbers or financial information in PowerSchool SIS, and no password related information was accessed.
-
What is the District Doing to Respond?
Upon being notified by PowerSchool we immediately launched an internal, and ongoing, investigation. Based on the indicators of compromise that were shared, we were able to verify that the reported unauthorized access occurred and we have found no evidence of further unauthorized access. We continue to monitor and investigate and are also awaiting further information from PowerSchool and the Crowdstrike incident report expected in mid-January. We will be closely analyzing all of this information, and we will share information with families and staff after the incident report is released.
Cybersecurity, in general, has been an ongoing focus of the district. Some of the key steps we have taken in recent years include moving all user devices to full disk encryption, implementing multi-factor authentication, upgrading our endpoint protection and perimeter firewalls, and providing annual cybersecurity awareness training. We also have participated in state and federal cybersecurity grant programs both independently and in partnership with the town's municipal IT department. This is ongoing work and will continue to be an area of focus moving forward. While the focus of Crowdstrike’s incident report will surely be on the threat actor and PowerSchool, we will be closely analyzing this incident to inform our planning and future initiatives and how we can improve our security posture.
Lincoln Public Schools partners with other privacy-focused districts in the Student Data Privacy Alliance (SDPA) to negotiate data processing agreements with software vendors and an agreement is in place with PowerSchool. The SDPA is aware of this incident and is engaging with PowerSchool regarding their contractual obligations under the agreement.
We are committed to ongoing and transparent communication regarding this incident. We will continue working with PowerSchool to understand the ongoing investigation and response, and will share any relevant information as it becomes available. We have also started a PowerSchool Cybersecurity Incident FAQ. This will be a living document and includes additional information and responses to frequently asked questions.
FAQ
-
How is PowerSchool confident that the data has been deleted?
PowerSchool has shared that they engaged the services of CyberSteward, a company with expertise in negotiation with threat actors, and made a payment in exchange for the deletion of the data and assurances that no copies were made, including obtaining video of the digital destruction of the data. While it is reasonable, and perhaps advisable, to be skeptical, experts in the field have shared that cyber-extortionists do have a financial incentive to follow through on deleting data, so future victims are more likely to pay ransoms. As an additional verification measure, PowerSchool has contracted on an ongoing basis with Crowdstrike for web and dark web monitoring of any potential future publishing or sale of the data.
-
Were Social Security numbers, credit cards, or other financial information accessed?
No. As part of our data minimization practices, we do not store Social Security numbers, credit cards, or financial information in PowerSchool SIS.
-
Was personal health information (PHI) accessed?
No medical records were included in the unauthorized access. The names and phone numbers of physicians related to students were included as were medical "alerts" in the system. Medical "alerts" are short text alerts to staff of important medical information, such as a peanut allergy.
-
Is it safe to continue using PowerSchool SIS?
PowerSchool has assured all districts that the incident is no longer active and that the threat actor has no further access. Their and Crowdstrike's ongoing investigations have found no evidence of persistence in their systems by the threat actor. They have also taken steps to further secure their internal support resources and disable their internal maintenance tool that was used in the incident.
-
What other PowerSchool products does the district use? Were they compromised?
In addition to PowerSchool SIS, the district also uses SchoolMessenger, UnifiedTalent, and Enrollment (used for registration and annual forms). PowerSchool reports that their internal investigation and Crowstrike's ongoing investigation have found no evidence of unauthorized access to any of these systems, and that the internal support site that was accessed through the compromised credentials only had access to the SIS product.
-
How long did it take PowerSchool to notify the district of this incident?
PowerSchool learned of this incident on Saturday, December 28th. They notified Lincoln Public Schools on Tuesday, January 7th at 2:10pm that an incident occurred. We launched an investigation and notified staff and families the following day once we had verified the unauthorized access and identified the exfiltrated data.
We partner with other privacy-focused districts in the Student Data Privacy Alliance (SDPA) to negotiate data processing agreements with software vendors, and we have an agreement in place with Powerschool that requires notification within 5 days, a standard that PowerSchool did not meet. The SDPA's legal counsel is already in communication with PowerSchool about this.
-
Will PowerSchool be communicating directly with impacted individuals or providing any supports or services? (Updated 2/2/25)
PowerSchool has announced that they will be offering complimentary identify protection and credit monitoring through Experian to individuals whose information was involved in the incident as follows:
- Identity Protection: PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved.
- Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved.
PowerSchool notified us on 1/31/25 that in the coming weeks Experian (on behalf of PowerSchool) would begin directly contacting involved individuals (or their parent/guardian, as applicable) via email. The email will contain information for enrolling in identity protection and fraud services. The deadline to enroll in these services will be May 30, 2025.
PowerSchool and Experian have also set up a dedicated call center at 833-918-9464 to answer questions associated with these offerings and the incident, and they have posted a formal data breach notification, along with detailed instructions for activating identity protection and fraud monitoring services at https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.
-
How can I contact PowerSchool to get more information about the incident or the identity protection and credit monitoring services they are offering.
PowerSchool is posting general information and updates about the cybersecurity incident at https://www.powerschool.com/security/sis-incident/.
PowerSchool and Experian have set up a dedicated call center at 833-918-9464 to answer questions about the identity protection fraud monitoring services, and the incident in genera. They have also posted a formal data breach notification, along with detailed instructions for activating identity protection and fraud monitoring services at https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.
District Communication
-
Letter to Families and Staff 1/8/25
Dear Lincoln Public Schools Families and Staff,
Yesterday afternoon, we were informed by PowerSchool, the provider of our district’s student information system, of a nation-wide cybersecurity incident that resulted in unauthorized access to student and staff information. PowerSchool is the largest provider of student information systems in the US, and this incident is believed to have impacted districts across the country, including Lincoln Public Schools, and potentially millions of students and staff. This is extremely concerning information and we are actively investigating and seeking more details from PowerSchool. While we only have limited details at this time, we want to share with you what we do know.
PowerSchool reports that the incident, which occurred in late December, is contained and not ongoing. The unauthorized access occurred through one of PowerSchool’s support platforms and they report that they have contained the incident and prevented further unauthorized access.
PowerSchool has shared that student, family, and staff information, such as names, contact information, and demographics were accessed. We have begun our own internal forensic analysis, and we believe that, specifically within Lincoln Public Schools, the information that was accessed included student names, home addresses and phone numbers, demographic information, parent/guardian and emergency contact information, custodial information, contact information for physician, medical “alerts” (for example a food allergy), and school operational information, such as grade, year of graduation, student ID numbers and usernames, home room, bus numbers, and participation in programs such as special education and EL services.
The accessed staff information included names, contact information, home addresses and phone numbers, email addresses, staff ID numbers and usernames, and demographic information. We do not believe that any student assessment results, grades or academic data, report cards, full health records, IEPs, or records pertaining to attendance, discipline, or behavior were accessed. We do not store student or staff social security numbers or financial information in PowerSchool, and no password related information was accessed.
PowerSchool has additionally stated that they do not anticipate the data that was accessed being shared or made public, and that they believe it has been deleted without any further replication or dissemination. We are seeking additional information from PowerSchool to help us understand the basis for their confidence that the data was deleted and will not be shared.
PowerSchool executives are holding a webinar with districts later today and we hope to learn more at that time. We are also continuing to investigate independently and will consult with our legal counsel as appropriate. We understand that you likely share our deep concern about this incident. Protecting student and staff information has been and will continue to be a central value of our district and we will do everything we can to keep you informed. Please expect an update from us in the coming days when we have more to share.
If you have any immediate questions, please feel free to contact Rob Ford, our Director of Educational Operations and Technology, at rford@lincnet.org.
Thank you for your patience and understanding as we continue to work to better understand the situation.
Sincerely,
Parry Graham
Superintendent
Rob Ford
Director of Educational Operations and Technology
-
Superintendent's Update 1/10/25
Excerpted from the Superintendent's Bi-Weekly Update, 1/10/25
Dear Lincoln Public Schools Families,
As I wrote to you on Wednesday, we were notified earlier in the week that PowerSchool, our student information system, experienced a cybersecurity incident that resulted in unauthorized access to student and staff data. I wanted to share with you some additional information that we have learned since then, and direct you to our website, where we have put together an FAQ with answers to a number of common questions.
The data breach was the result of bad actors who used a compromised credential to gain access to PowerSchool’s internal support tools. They were then able to access student information systems all over the country. Those bad actors then demanded payment from PowerSchool to delete the data that they were able to access. PowerSchool has since contracted with Crowdstrike to perform an investigation, and a full incident report is expected by January 17th. We are hoping to receive a copy of that incident report, and will continue to share any new information with families and staff.
PowerSchool has expressed a high degree of confidence that the data has since been deleted and was not shared. While it is reasonable, and perhaps advisable, to be skeptical, experts in the field have shared that cyber-extortionists do have a financial incentive to follow through on deleting data, so future victims are more likely to pay ransoms. As an additional verification measure, PowerSchool has also contracted on an ongoing basis with Crowdstrike for web and dark web monitoring of any potential future publishing or sale of the data.
Cybersecurity has been an ongoing focus in LPS, so it’s particularly frustrating to have student and staff data be compromised by what was essentially an end run around ours and other districts’ security protocols. We have taken a number of steps in recent years to improve our cybersecurity, including moving all user devices to full disk encryption, implementing multi-factor authentication, upgrading our endpoint protection and perimeter firewalls, and providing annual cybersecurity awareness training. We also have participated in state and federal cybersecurity grant programs both independently and in partnership with the town's municipal IT department. This is ongoing work and will continue to be an area of focus moving forward. While the focus of Crowdstrike’s incident report will surely be on the threat actor and PowerSchool, we will be closely analyzing this incident to inform our planning and future initiatives and how we can improve our security posture.
Parry Graham
Superintendent
-
Superintendent's Update 1/24/25
Excerpted from the Superintendent's Bi-Weekly Update, 1/24/25
Dear Lincoln Public Schools Families,
I wanted to share with you some updated information about the PowerSchool cybersecurity incident. PowerSchool has announced that they will be offering complimentary identity protection and credit monitoring through Experian. According to PowerSchool, they will offer:
- Identity Protection – Two years of complimentary identity protection services for all students and educators whose information was involved.
- Credit Monitoring – Two years of complimentary credit monitoring services for all adult students and educators whose information was involved.
PowerSchool has said they will be contacting individuals directly in the coming weeks regarding these services. When we have more specifics about that communication, the anticipated incident report from Crowdstrike, or any other additional information, we will share it with you and post it to our PowerSchool Cybersecurity Incident information page and FAQ.
Parry Graham
Superintendent
-
Letter to Families and Staff 2/3/25
Dear Families, Caregivers, and Staff,
We recently shared that PowerSchool will be offering identity protection and fraud monitoring services through Experian, a credit reporting agency, to individuals whose information was accessed during their recent nation-wide cybersecurity incident.
PowerSchool has informed us that they have begun the process of notifying impacted individuals. In the coming weeks, Experian (on behalf of PowerSchool) will directly contact involved individuals (or their parent/guardian, as applicable) via email. The email will contain information for enrolling in identity protection and fraud services. The deadline to enroll in these services will be May 30, 2025.
PowerSchool and Experian have also set up a dedicated call center at 833-918-9464 to answer questions associated with these offerings and the incident, and they have posted a formal data breach notification, along with detailed instructions for activating identity protection and fraud monitoring services at https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.
Please note that while communications from PowerSchool and Experian may reference social security numbers, which some districts did have in PowerSchool, Lincoln Public Schools has never stored social security numbers for either staff or students in PowerSchool.
For any questions about the identity protection and fraud monitoring services, please contact PowerSchool and Experian’s help line at 833-918-9464, and to view our past communication about this incident, including answers to frequently asked questions, please visit https://www.lincnet.org/powerschoolcybersecurityincident.
Thank you
Rob Ford
Director of Educational Operations and TechnologyParry Graham
Superintendent of Schools