Wellesley Public Schools affected by nationwide PowerSchool software breach

Wellesley Public Schools has shared that the nationwide PowerSchool software data breach has hit home.

WPS has been notified by the maker of student information system technology that personal information of students and teachers has been compromised, as it has for thousands of other districts.

A memo from Superintendent David Lussier and Director of Educational Technology Adam Steiner stated: “In a webinar held this afternoon, officials from PowerSchool stated that the information breach was part of a targeted attack where a compromised credential in PowerSchool’s customer support portal was used to find and download a large amount of data from schools nationwide. The information accessed pertains to students, families, and educators.

“PowerSchool learned of the attack when the perpetrator informed PowerSchool of the breach and asked for payment to destroy the data. PowerSchool officials said they paid the perpetrator an undisclosed amount of money in exchange for video evidence that the data was deleted. PowerSchool officials stated that they believe there are no additional copies of the data and that the data will not be shared with the public.”

The district’s technology department is now investigating the situation to determine which categories of information were involved in the breach. No bank or credit card data is collected in PowerSchool. Neither photos nor password information was included in the breach.

“We acknowledge that this is concerning news, and will share more details with you as we learn more,” the memo states.

You’d never know from looking at PowerSchool’s website that anything’s amiss. But reports on the incident, including on the BleepingComputer website, say PowerSchool informed affected school districts on Tuesday about the cybersecurity incident on Dec. 28.

“Although this reportedly was not a ransomware attack, PowerSchool ended up paying a ransom to prevent the data from being leaked,” BleepingComputer reported.

PowerSchool, which recently went private via a Bain Capital acquisition, issued a statement about the cybersecurity incident. According to report on NBCCT, the statement included: “On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. The incident is contained and we do not anticipate the data being shared or made public. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.”