(WTAQ-WLUK) — A major education technology software platform for K-12 schools nationwide suffered a cyberattack last month that resulted in the theft of sensitive student and teacher information — and several Northeast Wisconsin schools were affected.
According to a statement from PowerSchool, the incident occurred Dec. 28 when “an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential.”
Officials say the information that was exposed belongs to “certain SIS customers and relates to families and educators.” Stolen data varies depending on the district, but includes any combination of names, postal addresses, social security numbers, personally identifiable information, medical information and grades.
PowerSchool said the incident has been contained and there is no evidence of continued unauthorized activity. The company allegedly decided to pay a ransom demand in return for video evidence that all compromised files were deleted and digitally shredded.
Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.
We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts. Although PowerSchool does not anticipate any misuse of personal information or financial harm to impacted individuals, it said it will be providing credit monitoring and identity protection services.
More than a dozen districts in Northeast Wisconsin use PowerSchool. Since news of the hack was made public, some schools have released more information.
The Reedsville School District assured families that its data does not contain social security numbers, bank account numbers or any financial information and that PowerSchool does not have access to financial data that may be entered using RevTrak (lunch/breakfast deposits or fees paid to the district) or Skyward (district financial system).
The School District of West De Pere echoed similar sentiments, saying it does not collect social security numbers and no financial information was compromised.
And in a Facebook Wednesday evening, Sturgeon Bay Schools said, in part, “We are closely monitoring the situation and will share updates with you as we learn more. It is worth noting that this breach is on PowerSchool’s end and has not affected any of our other systems in the district.”
The Green Bay Area Public School District says it was named in the list of districts impacted because it uses PowerSchool’s School Messenger, but the district uses Infinite Campus, not PowerSchool’s information system, so GBAPS was not affected by the breach.
PowerSchool said in the coming days, it will provide affected school districts with a communications package to support district leaders in engaging with families, teachers and other stakeholders about the cyberattack.
Comments