Dear Shrewsbury Families and Colleagues,
We are writing to share information about a concerning cybersecurity incident that has affected our school district and many others around the state, nation, and globe. We have been notified by PowerSchool, the company that provides the student information system used by our District and many others across the country and world, of a cybersecurity incident affecting their systems. PowerSchool has informed us that this incident involved unauthorized access to their data systems globally. We want to share what we know at this moment about this incident and what we know now about how it has affected Shrewsbury Public Schools. We recognize that the information we’re sharing is concerning to all of us.
What is the issue? PowerSchool has informed us that an actor compromised their company-level security, and that through this the actor was able to access many districts’ data across multiple countries. We have confirmed locally that this included Shrewsbury Public Schools. PowerSchool has assured its customers that the incident has been contained, that there is no evidence of continued unauthorized activity, and that they have taken a number of security steps to protect their clients. Our local review of our system supports this.
PowerSchool has expressed that:
1. They do not anticipate the data being shared or made public because they believe the data accessed has been irrevocably destroyed without any replication or dissemination. PowerSchool said it did not experience a ransomware attack, but that the company was extorted into paying a financial sum to prevent the hackers from leaking the stolen data.
2. They are working with a cybersecurity technology company to monitor the public domain to ensure the data was not and will not be reshared.
3. They are working with federal agencies to identify the actor(s) involved.
What Shrewsbury Public Schools data was affected? This incident resulted in the downloading of student and staff demographic data that is located in the Shrewsbury Public Schools PowerSchool system (including names, addresses, phone numbers, email addresses, student ID numbers and birthdates, and staff ID numbers). The data did NOT include any passwords, credit card information, legal documents used during student registration, photos, or other educational or personnel information about students or staff. Student health records were NOT included, although if a health alert was included in a student’s demographic data (such as a food allergy) that may have been included. Again, PowerSchool has indicated that they believe all of the data that was downloaded has been destroyed at this time.
What are the next steps? Because no passwords were accessed for student, staff, or parent portal accounts, and because of the process we use to log in to PowerSchool, there is no need to change your password at this time. We participated in a webinar hosted by PowerSchool’s senior executives today from 3pm to 4pm, and based on the information provided to us we ask that you note:
- There will be additional information available in the coming days and/or week as they complete a full investigation.
- PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations, with more details to come.
What steps should you take at this time? While PowerSchool continues to investigate, we recommend the following precautionary measures:
- Monitor your accounts: Keep a close eye on your accounts and report any suspicious activity to the tech support team in your building (staff) or email parenttechsupport@shrewsbury.k12.ma.us (parents).
- Be cautious of phishing: Be vigilant about unexpected emails or calls requesting personal or school information.
This incident is concerning to all of us. We work hard to do everything possible to prevent cybersecurity issues with the systems that are under our control, and we are deeply concerned that this breach in the PowerSchool global system compromised some of our data. When there is further guidance from PowerSchool or other information we receive, we will provide you with an update. You may also receive updates directly from PowerSchool. If you have any further questions or concerns, please feel free to reach out to Kadion Phillips, Director of Information Technology, at kphillips@shrewsbury.k12.ma.us.
Sincerely,
Kadion Phillips Barbara A. Malone Joe Sawyer
Director of Information Technology Executive Director of Human Resources Superintendent of Schools