Cape Elizabeth has been made aware of a nationwide breach of PowerSchool. Cape Elizabeth does use PowerSchool as our Student Information System.
PowerSchool shared with Cape Elizabeth that our data has been compromised. We are sharing with the community what we know.
What happened?
On December 28th, PowerSchool discovered that one of their Maintenance Accounts had been compromised. This Maintenance Account was used to access and to copy data from schools worldwide. PowerSchool then initiated their cyber security response process. PowerSchool worked with a third-party cybersecurity expert to prevent the release of the data copied.
PowerSchool Communication
Since the breach rests with PowerSchool, we want to share the information that PowerSchool has provided us directly with the community. The following information is directly from PowerSchool:
“Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.”
“We have taken all appropriate steps to further prevent the exposure of information affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.”
“Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment.”
Additionally, PowerSchool has indicated that they are continuing to work with law enforcement.
What data could’ve been accessed?
Demographic information for students and staff, including Personally Identifiable Information (PII) is included. This information includes name, addresses, date of birth, gender, ethnicity, and names of contacts. While the fields include Social Security numbers, Cape does NOT normally record social security numbers. However, we did identify less than two dozen Social security numbers from past students that could potentially have been compromised. No financial information or student pictures were exfiltrated.
Cape Elizabeth Steps
Cape Elizabeth has investigated the impact of this breach on PowerSchool. While data was copied, there are a few important informational pieces:
There were two data pieces that were copied, student and teacher tables. These tables do include demographic information
Cape Elizabeth does NOT normally record Social Security numbers in those tables. However, after a complete review, we did identify less than two dozen potential compromises of previous students. All of those students have been contacted
Cape Elizabeth has taken additional steps to further increase our security. While this breach was targeted at a vendor and outside of the control of Cape Elizabeth, we have implemented additional security measures. We are also reviewing and updating our security procedures (this is a constant process for us)
Cape Elizabeth is following the procedures and information provided by PowerSchool and our own best practice procedures
PowerSchool Follow Up Information
PowerSchool has created a website to update those individuals whose information was breached. FAQ’s for families and educators are included on the PowerSchool Breach Informational Page.
Identity Protection and Credit Monitoring Services: PowerSchool has engaged Experian, a trusted credit reporting agency, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.
Identity Protection: PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved.
Credit Monitoring: PowerSchool will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved.
PowerSchool will coordinate with Experian to provide notice to students (or their parents / guardians if the student is under 18) and educators, as applicable, whose information was involved, as well as a call center to answer questions from the community. The notice will include the identity protection and credit monitoring services offer (as applicable).
Summary
We will continue to provide the community with updates and communications as we learn more. We will be posting updates to our website.