The Berkshire Eagle, by Greg Sukiennik on January 9, 2025
There's never a good time for a data breach delivering personal information into the wrong hands.
But county school superintendents whose teachers and administrators use the PowerSchool student information system to manage data are not happy that it took the company 11 days to report it had suffered a worldwide security breach. That notification came Monday afternoon.
The affected data tables include fields for names, addresses, family home and email addresses, potential medical alerts and most alarmingly, Social Security numbers.
However, PowerSchool officials said that most districts leave the field for student Social Security numbers empty. That's the practice in Lenox and in Pittsfield, Lenox Superintendent William Collins and Pittsfield Superintendent Joseph Curtis said.
Area school superintendents informed teachers and families of the breach on Tuesday morning. The company said during a conference call it was notified by a "threat actor" on Dec. 28, adding that it had gained assurances the data is safe and will not be shared or uploaded. Its chief executive officer, Hardeep Gulati, said in a conference call that the firm "understands how concerning this is for all of you" and pledged diligence in containing the breach and working with customers moving forward.
North Adams, Lenox, Pittsfield, the Central Berkshire Regional School District in Dalton, and the Berkshire Hills Regional School District in Great Barrington are among county PowerSchool users affected by the breach.
"Currently, the details of the breach are still limited; however, our technology director and [information technology] department are actively investigating the situation to thoroughly evaluate its impact on both staff and student data within our district," Curtis said in an email to the Pittsfield school community. He also said that was the technology department's "only priority" on Tuesday.
"This news, along with PowerSchool's delay in reporting it to us, is deeply concerning," Curtis said. "Please know that we are actively monitoring the situation and will continue to provide updates as new information becomes available."
Later in the day, Curtis told families that PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors.
"We will provide further details on how to enroll in this when we receive it," he said in the notice to families.
In a letter to Central Berkshire school community, Superintendent Leslie Blake-Davis said the district would change all student passwords as a precaution.
"Please be reassured that our most sensitive student data such as IEPs and health records are stored in systems other than PowerSchool," Blake-Davis said. "At this time, we believe that the scope of this data breach is limited and consists primarily of demographic data."
Local school leaders were disturbed that it took PowerSchool 11 days to report the breach. Company executives did not address several questions on the notification delay during the one-hour teleconference Tuesday afternoon.
"I've got a lot of frustration, particularly in dealing with the breach and when they let us know," said Collins, the Lenox superintendent.
According to the firm's chief information security officer, Mishka McCowan, the "threat actor" first used a compromised credential to access PowerSource, a customer support portal within the platform, on Dec. 19. Activity logs showed that the individual used that to gain access to the company's data, and on Dec. 22, apparently used a script to copy tables with information about students and teachers.
After the threat actor informed the company on Dec. 28, it enlisted the services of two firms — CrowdStrike, a cybersecurity company, and CyberSteward, which has expertise in resolving ransomware and extortion attempts. It also involved law enforcement, specifically the FBI, McCowan said.
The result, McCowan said, was the threat actor provided video evidence that the data was deleted and pledged it would not be shared or uploaded. The company did not answer questions asking if money changed hands to reach that agreement.
PowerSchool provides student data management software to school districts as a subscription-based "software as a service" (SaaS) product. Districts use the software to enter grades, track data trends, and submit data to meet state and federal reporting requirements.
PowerSchool is the dominant player in the business, serving about 75 percent of K-12 students in North America and 60 million students in the U.S., according to the company website. Over time it has developed or purchased other services that fit into a suite of education workplace tools, most recently an AI-powered assistant called "PowerBuddy."
"Up to this point they’ve had a pretty secure service. We felt, and they led us to believe, it was pretty secure, it was safe," Collins said. "They're a giant in this. And they have a good service."
Only a portion of the company's data was accessed, and it informed customers who were affected, McCowan said.
Not every county district uses PowerSchool. McCann Tech has used Follett Aspen since making the switch to computerized student data, according to Jim Brosnan, superintendent of the Northern Berkshire Vocational Regional School District.
"We found that to be the system that fit our specific needs the best, especially in terms of vocational education," he said.
The Lee Public Schools use Focus, which Superintendent Michael Richard says is better-suited to smaller districts and less expensive. Last year, Richmond pooled resources with Hancock and switched from PowerSchool to School Insight, Richmond Superintendent Beth Choquette said.
"PowerSchool maybe provides more services than are necessary for a district our size," Richard said. "They charge you for a lot when you only use a little ... Focus is a cost-effective system that's doing what we need it to do."
PowerSchool was acquired by Bain Capital in October for $5.6 billion, bringing the company back into private ownership.
Before the sale, in its last annual report to shareholders in March 2024, PowerSchool said it intended to "leverage our track record of success with our existing customers by selling additional software across our platform and targeting new opportunities within these schools and districts."
Ironically, the webpage where PowerSchool held its teleconference included a link to a story called "5 signs it's time to switch your district's SIS."
The first reason listed? "You don’t have confidence in your SIS’s data security."