Some Connecticut school districts have been impacted by a cybersecurity breach affecting the PowerSchool Student Information System.
PowerSchool is a software used to keep track of your child's report cards, fill out their school forms or put money in their cafeteria accounts.
Dozens of Connecticut school district had their data breached in a cybersecurity hack at the end of December.
PowerSchool said the incident is contained, but cybersecurity experts and parents alike say it's unsettling.
Get top local stories in Connecticut delivered to you every morning. >Sign up for NBC Connecticut's News Headlines newsletter.
"I was concerned. All the data, these are parents and kids in school, this is very concerning, it shouldn’t be happening,” Chetan Jaiswal said.
Jaiswal, a Wallingford Public Schools parent is also a cybersecurity professor at Quinnipiac University.
For some, names, addresses and even payment information was compromised through the data breach.
Local
"Cybersecurity is everyone's responsibility,” Jaiswal said.
In addition to Wallingford, school districts in Cromwell, Montville and Newington were notified of the breach. Region 1 in Canaan also had student and staff information compromised, in addition to Region 16 in Prospect.
"We're fortunate we don't store social security numbers or credit cards if they purchase items or devices,” Region 16 Superintendent Michael Yamin said.
Yamin said they're operating under the assumption that all student and staff data was taken. They'll continue using PowerSchool, but he said it's a good learning moment to make sure the district is cybersecure.
"We're going to beef up what we’re doing, going to check protocols again. It wasn’t us that was breached, but our data was taken,” Yamin said.
"It seems to be a hopefully-contained breach. Not as bad as some of the other ones that are out there,” said Frederick Scholl, the director of Quinnipiac University’s cybersecurity program. “It seems like it was caused by a, stolen credential from one of their administrative people. And this, you know, this shouldn't be happening."
Scholl said the best practices for keeping your data safe are ever-evolving. He said you can expect organizations to move away from just using passwords, and adopt two-factor authentication.
"I think what you have to do is make sure you're not putting information in there that you don't want somebody to share, and that's going to include health information, finance information,” Scholl said.
Connecticut's Department of Education said individual districts contract with PowerSchool, not the state.
PowerSchool was unable to tell us exactly how many Connecticut school districts were impacted as of this afternoon.
Cromwell
Cromwell Public Schools notified families that PowerSchool notified them about a cybersecurity incident on Dec. 22 and many school districts around the state are impacted.
Cromwell school officials said the extent of the breach is not yet known, but it is possible that some student data was compromised and Cromwell Schools does not store social security information in its student information system.
Montville
Montville Public Schools posted on its website that PowerSchool notified them of a data breach that affects Montville Public Schools students, families and educators.
Newington
Newington Public Schools posted that it has been informed that some information might have been compromised in a potential breach of the PowerSchool Student Information System. The system contains student and staff data that is housed off-site.
Region 1
Melony Brady-Shanley, superintendent of schools for Region 1, said in a social media post that the school district learned on Tuesday that the PowerSchool system might have been compromised by a cybersecurity breach and they have since learned that students’ and staff members’ information across Region 1 has been impacted by the breach.
PowerSchool reported that their system was subject to a cybersecurity breach on Dec. 28 and the issue is not isolated to Region 1 but is affecting numerous school districts locally, nationally and internationally, according to Region 1.
At 3 p.m. on Wednesday, Region 1 staff will attend a webinar addressing the scope of the breach and discussing remediation efforts and staff and families will be updated on Thursday with new information and guidance.
Region 16
Michael P. Yamin, Region 16’s superintendent of schools, notified the school community that an unauthorized party gained access to certain SIS customer data, including Region 16 data, through a compromised credential in PowerSchool’s customer support portal.
He said PowerSchool does not anticipate the data being shared or made public and they believe that it has been deleted without any further replication or dissemination.
The information accessed includes data related to students, families, and educators, he added.
You can read the Region 16 message here.
Wallingford
Wallingford's superintendent said they were notified of the breach and that an unauthorized party accessed specific SIS customer data, including Wallingford Public Schools' data, through a compromised credential in PowerSchool's customer support portal.
Statement from PowerSchool
A PowerSchool spokesperson released a statement on Wednesday:
"On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. The incident is contained and we do not anticipate the data being shared or made public. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.
"As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.
"PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously. Our priority is to support our customers through this incident and to continue our unrelenting focus on data security.
"PowerSchool is committed to providing affected customers, families, and educators with the resources and support they may need as we work through this together."
No information was immediately available on which other school districts might be impacted.
Wethersfield Schools said they were notified that their data was not compromised in the breach.
