Lower Merion and Haverford are part of a school data breach involving personal student and staff information
Schools nationally have been hit by the data breach, with news outlets from Kansas to Maine reporting this week on local districts affected.
The Lower Merion and Haverford Township school districts are among schools nationally affected by a data breach involving PowerSchool software, district officials said Wednesday.
Officials said they aren’t yet sure what data were accessed, but they might have included “personally identifiable information” for staff and students, including names, addresses, and student health and grade information, Lower Merion’s acting superintendent, Larry Mussoline, said in a message to the community. He said the district was working to confirm that staff Social Security numbers were not accessed; Lower Merion does not collect student Social Security numbers.
In Haverford Township, officials told families Wednesday that PowerSchool believes a tool was used to extract tables that “primarily include contact information with data elements such as name and address information.”
But for “a subset” of the company’s customers, the tables may also include Social Security numbers and other personal information “for current and former students depending on the specific school district,” Haverford Superintendent Maureen Reusche and director of technology Robert Anderson said in a message to families.
Amy Buckman, a spokesperson for Lower Merion schools, said Thursday that PowerSchool briefed the district Wednesday but didn’t share specifics, telling school officials it still needed to analyze what was accessed from each district.
However, PowerSchool “did reiterate that they are reasonably confident that the bad actor destroyed all copies of all the data they accessed and that it won’t be shared or appear on the dark web,” Buckman said.
In a statement Thursday, a PowerSchool spokesperson said that the company has “taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. The incident is contained and we do not anticipate the data being shared or made public.”
“PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers,” the spokesperson said.
Schools nationally have been hit by the data breach, with news outlets from Kansas to Maine reporting this week on local districts affected; it’s unclear how many are in the Philadelphia area. PowerSchool did not answer a question Thursday on how many schools were involved.
Both Lower Merion and Haverford officials said they were informed Tuesday by PowerSchool that their data might have been accessed. The company learned of the incident on Dec. 28, Mussoline said.
Lower Merion’s IT team researched the issue and found that “unauthorized access to our system occurred on Dec. 21,” Mussoline said.
He said PowerSchool told the district that someone used “a compromised credential to access data stored in their Student Information System (SIS).” Upon learning of the incident, the company notified law enforcement, “locked down the system and engaged the services of CyberSteward, a professional advisor with experience in negotiating with threat actors.”
Lower Merion officials said they had notified their cybersecurity contractor, CrowdStrike, which will work with PowerSchool to investigate. The district said CrowdStrike expects a full report by Jan. 17.
PowerSchool plans to provide credit monitoring to “affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations,” according to Mussoline. The district said it would share resources with anyone affected by the breach when it learned more.
“We’re committed to sharing additional information with our community once we have it to share, but we are dependent on PowerSchool, since it was their system that was breached,” Buckman said.