Dear Pelham Families and Staff,
Summary:
I need to inform you that PowerSchool, the Pelham School District’s student information system vendor, has experienced a cyber incident. An unauthorized user was able to download student and teacher tables for many PowerSchool clients around the United States and around the world. This may include the Pelham School District. PowerSchool believes this data has since been deleted by the unauthorized user without any further replication or dissemination. Nevertheless, we are taking this matter extremely seriously. We will continue to update you as information becomes available from PowerSchool.
Detailed Explanation:
On the afternoon of January 7, 2025, we were informed by PowerSchool that on December 28,2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of its community-focused customer support portals,PowerSource. PowerSchool has indicated an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential.
Since we learned of the unauthorized access, we have been working to understand its scale and impact on Pelham students and staff. We do not have direct confirmation from PowerSchool that our data was taken. PowerSchool sent a general notice to all districts. They reported that the export data manager tool was used to extract student and teacher tables. These tables primarily include contact information with data elements such as name and address information. For a subset of the customers, these tables may also include Social Security Number (SSN), other Personally Identifiable Information (PII), and some medical and grades information for current and former students depending on the district.
In response, PowerSchool has reported to us that it “engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.” PowerSchool further reported that “the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment.” It further stated: “We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.” Finally, PowerSchool has indicated that: “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination. . . .We have a video confirming deletion.” Even though the data has likely been deleted, PowerSchool has also engaged with third party contractors to monitor for evidence of future dissemination of this data. PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.
We are taking this matter extremely seriously. We share your deep concern about unauthorized access to confidential information about students and staff. We find PowerSchool’s 10-day delay in notifying us about the breach unacceptable. We are committed to ensuring that protecting student and educator data remains secure.
We are following up with PowerSchool to find out more information on how our district was specifically affected. As we receive more information, we will relay this to families and the community and to any specific individuals impacted. If you have any questions, please do not hesitate to reach out to me.
Sincerely,
Chip McGee