A data breach is impacting school districts across the country, including several here in Massachusetts, and this could mean names, addresses, medical records and even social security numbers were compromised -- something local cybersecurity experts say is unsettling.
"It seems like it was caused by a stolen credential from one of their administrative people, and this you know, this shouldn't be happening," Frederick Scholl, of Quinnipiac University, said of the PowerSchool nationwide data breach.
WATCH ANYTIME FOR FREE
 |
Stream NBC10 Boston news for free, 24/7, wherever you are. |
Wellesley Public Schools and at least two other districts sent letters to their students' families this week, informing them about what happened.
Superintendent Dr. David Lussier said the district was notified by PowerSchool, the student information system they utilize, that the nationwide data breach had compromised the personal information of students and teachers from thousands of districts, including Wellesley.
Get updates on what's happening in Boston to your inbox. Sign up for our News Headlines newsletter.
According to Lussier, PowerSchool officials said the information breach was part of a targeted attack where a compromised credential in PowerSchool’s customer support portal was used to find and download a large amount of data from schools nationwide that pertains to students, families, and educators.
PowerSchool reportedly learned of the attack when the perpetrator reached out to them and asked for payment to destroy the data. PowerSchool officials told districts in a webinar held Wednesday that they paid the perpetrator an undisclosed amount of money in exchange for video evidence that the data was deleted, Lussier said.
PowerSchool officials told district officials that they believe there are no additional copies of the data and that the data will not be shared with the public. They're actively searching the dark web to confirm.
Local
In-depth news coverage of the Greater Boston Area.
In Wellesley, the district's technology department is compiling a list of the categories of information that were included in the breach.
Lussier says no bank account or credit card information is collected in PowerSchool. Student and teacher photos were also reportedly not included in the breach, nor was password information.
"To reiterate, this was a national event, and like thousands of districts, in the coming days and weeks, we will be actively investigating this breach and taking the appropriate actions," Lussier said in his letter to families. "We acknowledge that this is concerning news, and will share more details with you as we learn more."
In Needham, Superintendent Dan Gutekanst told the district's families that PowerSchool learned of the potential cybersecurity incident on Dec. 28, and then notified their district on Jan. 7.
According to Gutekanst, PowerSchool officials said an unauthorized party gained access to certain student information system customer data using a compromised credential.
They believe "the export data manager tool was used to extract only student and teacher tables. These tables primarily include contact information with data elements such as name and address information. For a subset of the customers, these tables may also include Social Security Number (SSN), other Personally Identifiable Information (PII), and some medical and grades information for current and former students depending on the specific school district.”
According to PowerSchool, the incident is "contained," and there's no evidence of malware or continued unauthorized activity. They issued a statement saying they have taken "all appropriate steps" to prevent the data involved from any further unauthorized use or misuse.
"The incident is contained and we do not anticipate the data being shared or made public," they said. "PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers."
Needham Public Schools say they have not collected social security information from staff or families through PowerSchool for many years, but PowerSchool has indicated that it will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations, Gutekanst said.
"The Needham Public Schools does not have direct confirmation that it was impacted in any way by this breach. We are following up with PowerSchool to find out more information on how the District may have been affected and for more details on the incident," Gutekanst wrote to families. "The District is also reviewing what occurred internally and whether we need to take additional security measures on our end."
Holliston Public Schools was also impacted, as were several districts in Connecticut.
Law enforcement was informed about the incident, which remains under investigation.
NBC10 Boston has reached out to PowerSchool and the Massachusetts Department of Elementary and Secondary Education.
