Worldwide PowerSchool Breach Reaches Pittsfield, North Berkshire SchoolsBy Brittany Polito, iBerkshires Staff 05:22PM / Thursday, January 09, 2025 | |
PITTSFIELD, Mass. — Pittsfield Public Schools students and teachers had their personal information accessed as part of a worldwide PowerSchool breach. Mount Greylock Regional School District and Northern Berkshire School Union also reported some data was accessed.
"This is not unique to the city of Pittsfield," Superintendent Joseph Curtis told the School Committee on Wednesday.
"Every one of the 18,000 PowerSchool customers has experienced a data breach. We were informed yesterday with a very brief notice from PowerSchool and our technology department began to dig into the impact near immediately."
The breach reportedly took place between Dec. 19 and 28, when it was detected by PowerSchool and all accounts were locked down. It is being investigated by the FBI and a third-party cybersecurity firm.
On Jan. 8, PowerSchool hosted a webinar with the investigative team to provide school districts with further details about the situation.
"PS has not provided districts at this point with the kind of concise and actionable info around what it's prepared to do in terms of assistance and longer term support for anyone impacted — particularly the small group where SSNs were part of that breach," interim Superintendent Joseph Bergeron told the Mount Greylock School Committee on Thursday. "I think the whole world is putting a lot of pressure on PS right now, thankfully, it's not just us, to have next steps."
The Pittsfield Public School's technology department investigation found that personal information from the fields "Student" and "Teacher" were accessed. This includes home addresses, phone numbers, and email addresses.
Other school districts have reported access to student grades, health information and Social Security numbers.
Bergeron referenced 52 Social Security numbers accessed after investigation by the Mount Greylock district's information and education technology directors.
"The speed with which on Tuesday night and Wednesday morning, they were able to, in my opinion, be well ahead of many districts in the country and Canada, pin down what data was accessed — our ability to say 52 SSNs pretty clearly and accurately in less than 24 hours is a testament to their knowledge of the system and ability to respond quickly," he said.
Northern Berkshire School Union also relied on its IT director, Josh Arico, to determine if the data had been hacked after being told by PowerSchool that it believed no files had been accessed.
"In his own diligence, he investigated, and PowerSchool provided the address of the hacker, and he did find it," Northern Berkshire Superintendent John Franzoni told his School Committee on Thursday.
The district had held off on sending a communique to parents until it could assure them what had happened. Arico found that the hacker may have accessed some demographic information and a letter was sent to parent on Thursday.
"He did go through files for the last three days just trying to figure out if there was anything and he did uncover some information," Franzoni said. "We feel confident that it's not significant, but we also want to make sure that our No. 1 priority is always the safety of our students and staff and families. So as information comes in, we will make it aware of the families."
On Thursday, the North Adams Public Schools said its data was not comprised as a part of the breach. The district was notified by PowerSchool on Jan. 7 that its support portal was internationally breached and school districts' data had been compromised. After an “extensive internal investigation” including a review of all exported reports, NAPS said there was “no reason to believe that our data was compromised as part of this event.”
The district reiterated that Social Security numbers are not stored in PowerSchool and special education data was not accessed.
As a cybersecurity computer science student, Pittsfield School Committee member William Garrity found the breach "deeply concerning."
"I am concerned by the security practice PowerSchool had implemented before this," he said.
"I think there was a lot of this oversight, I'm not going to get into it in this meeting. Hopefully not just us but other districts around Massachusetts, the county, and the world hold PowerSchool accountable for their security practices."
Curtis reported at Wednesday's meeting that a hacker got into the information through a compromised PowerSchool employee account that has since been disabled and the software company took immediate steps to secure its system.
"Almost all of the Berkshire County, and certainly across Massachusetts, the United States, and the globe use PowerSchool," the superintendent said.
"There are very few alternatives to student information systems as they are bought up by each other and PowerSchool is certainly one of the main ones. We've had PowerSchool for about 22 years at this point."
PowerSchool will provide credit monitoring to affected adults and identity protection services to affected minors per regulatory and contractual obligations.
"We did two family information releases today and two staff information releases, and then some individual staff contacts as well," Curtis said, adding that additional information about the breach will be shared publicly once it is received.
Bergeron noted that the software contract is through the state of Massachusetts and that the district's legal counsel is aware of potential class-action suits with other districts.
"The Mass AGO is certainly aware and thinking about what role it needs to play if any," he said. "I think right now everybody is waiting on PS to issue the structured resolution that it is supposed to issue. We're all waiting for that so we know what we should respond to next."
PowerSchool is a cloud-based software company that provides student information systems (SIS) for K-12 schools in more than 90 countries, providing services to 18,000 educational organizations with more than 60 million students.
It holds student information such as grades and attendance, administrative tasks, compliance reports, emergency management, and learning tools. It indicated that it will continue to provide general updates as the investigation continues and will release a final report at the conclusion.
Editor's note: complete write-thru Jan. 13 with new information and clarification.
|