January 9, 2025

Dear NPS Staff & Families 
 

This is an update on the PowerSchool cybersecurity incident. 

We were notified by PowerSchool on the afternoon of January 7, 2025, that on December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of its community-focused customer support portals, PowerSource. PowerSchool has indicated an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and that District data was accessed. 

Specifically, PowerSchool reported that it:

“Believe[s] the export data manager tool was used to extract only student and teacher tables. These tables primarily include contact information with data elements such as name and address information. For a subset of the customers, these tables may also include Social Security Number (SSN), other Personally Identifiable Information (PII), and some medical and grades information for current and former students depending on the specific school district.”

Norton Public Schools does not store Social Security Numbers within the PowerSchool SIS. 

PowerSchool has reported to the District that it “engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.”  PowerSchool further reported that:  “Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment.”  It further stated:  “We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”  Finally, PowerSchool has indicated that:  “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination. . . .We have a video confirming deletion and are actively searching the dark web to confirm.”

PowerSchool has indicated that it will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.

PowerSchool sent a general notice to all districts that use their products. We are following up with PowerSchool to find out more information on how the District was specifically affected and for more details on the incident.  As we receive more information, we will relay this to families and staff. This incident occurred outside of Norton’s control. There was nothing NPS could have done to prevent this unauthorized access. If you have any questions, please do not hesitate to reach out to us.

Jennifer O'Neill, Superintendent

Karen Winsper, Director of Instructional Technology

January 8, 2025

Dear NPS Staff & Families 
 

We have been notified by PowerSchool, our student information system, that they experienced a national cyber security incident in December. At this time, we do not know the scope or the impact that this incident may have had on our student and staff information. Our team is participating in an informational call with PowerSchool this afternoon and will update you when additional information becomes available. 

Jennifer O'Neill, Superintendent
Karen Winsper, Director of Instructional Technology

On January 7, 2025, the Norton Public Schools was notified of a cybersecurity breach by PowerSchool, the largest provider of K-12 student information education software, that potentially impacted student and staff data. During an informational webinar with PowerSchool and school districts nationwide, it became apparent that Norton’s students and staff data was accessed by an unauthorized party, although we do not have confirmation from PowerSchool of what exactly was included in the breach. Here’s what we do know:

• On December 28, 2024, PowerSchool became aware of an unathorized party who gained access to PowerSchool’s PowerSource management support site using stolen credentials. 
• The bad actor was able to extract data from schools nationwide using the compromised credentials.
• PowerSchool reports it does not anticipate the data will be shared or made public. They believe it has been deleted without further replication or dissemination and they have video proof of destruction.
• PowerSchool reports the incident is contained and the compromised account was shut off and password reset.
• PowerSchool reports all employee passwords were reset within PowerSource.
• PowerSchool reports that staff and student personally identifiable information (PII) was included in the breach. 
• Although not admitting it was a ransomware attack, PowerSchool paid an undisclosed amount of money for the data to be destroyed in what is considered a data extortion attack.
• PowerSchool reports it continues to investigate the specifics of the breach.
• PowerSchool’s student information system was the only software product affected in the breach. Norton does utilize other PowerSchool products such as Naviance and Schoolspring that were unaffected by the breach. 

1. When did PowerSchool find out about the breach? December 28, 2024
    
2. When did NPS find out about the breach? By email on January 7, 2025
    
3. What data was accessed? We are still waiting for PowerSchool to confirm the data that was accessed in our database. We anticipate it could potentially include student, staff, and family names, addresses, phone numbers, email addresses and other directory information. It may also contain grade levels, DOB, and other class and school information. 
    
4. Were student or staff social security numbers compromised? No. We do not store social security numbers for students and staff in the PowerSchool SIS. 
    
5. Is PowerSchool currently safe to use? PowerSchool has assured districts that it is safe to use. It has assured us that no district level passwords were compromised and data has not been altered within the SIS. Based on this information, we continue to use the software with no restrictions for staff, students, or families. 
    
6. What about the potential for backdoor access to the PowerSchool SIS? PowerSchool has engaged with CrowdStrike, a leading cybersecurity organization, to conduct a forensic analysis of event logs during the unauthorized access period. They will provide updates if new information becomes available. However, PowerSchool does not feel any backdoor access was created.
    
7. Will PowerSchool provide identity protection or credit monitoring to those individuals impacted by the data breach? PowerSchool has noted they would provide monitoring services to those impacted but we do not have specifics of exactly who this includes. We are currently awaiting additional information regarding this possibility. Because NPS doesn’t store social security numbers, this could impact the availability of monitoring services. 

The Federal Trade Commission (FTC) recommends the following actions when a child’s personal information has been compromised in a breach. This was taken from the FTC Identity Theft website

Request a free credit freeze for your child. A credit freeze will make it difficult for someone to use your child’s information to open accounts. To place a freeze, follow the specific instructions for each credit bureau:

• Freezing a Minor’s Credit Report through Equifax 1-800-685-1111
• Requesting a Minor's Credit Report, Fraud Alert or Security Freeze through Experian
  888-EXPERIAN (888-397-3742)
• Freeze Credit for a Minor through Transunion 888-909-8872

Generally, children won’t have credit reports — unless someone is using their information for fraud. To find out if your child has a credit report, ask each credit bureau to check its records. Each bureau has specific instructions for these requests:

• How do I get a copy of my child's credit report?
• Child Identity Theft through Transunion

If a credit bureau has a credit report for your child, the credit bureau will send you a copy of the report. Use the instructions provided with the credit report to remove fraudulent accounts.

Review the FTC’s information on Child Identity Theft.

Norton Public Schools has been working with the Massachusetts Student Privacy Alliance (MSPA) to develop a standardized data privacy agreement for all vendors that store any student information with personally identifiable information (PII)

The Data Privacy Agreement requires all vendors to:

• Ensure industry best practices are being followed with respect to data privacy and data security.
• Provide the school district the right to audit the vendor for compliance.
• Not resell or use student information for any other purpose than the service it was intended for. 
• Provide the school district notification of a data breach, if one should occur, within a specific time frame.
• Ensure the school district retains ownership of all student data regardless of where the data resides.
• Follow the laws protecting students rights for data privacy - CIPA, COPPA, FERPA and PPRA.

Norton Public Schools are working closely with The Education Cooperative (TEC) to facilitate the execution of these data privacy agreements with all vendors.  TEC represents a number of school districts across Massachusetts concerned with student data privacy.