Dear Families and Staff,
I am writing to follow up on an important message that went out to the Spencer-East Brookfield community earlier this week regarding PowerSchool’s report of a cyber incident. PowerSchool, the Student Information System (“SIS”) used by Spencer-East Brookfield, has indicated that through this incident, an unauthorized party gained access to certain data housed in our SIS, as well as the data of other PowerSchool customers nationwide.
While PowerSchool has only sent general notices to districts, the SEBRSD IT team has confirmed that sensitive, personally identifiable information was exported from our school district’s SIS. For students, listed are some of the data fields with personal information that were exported: name, date of birth, address, web ID (email login), gender, race, IEP status (a simple yes or no designation), medical alerts (not including medical data, but simply alerting staff to the existence of a health care plan, a seizure disorder, an allergy, etc.). For staff, listed are some of the data fields with personal information that were exported: name, date of birth, address, email address, ethnicity, gender, and race. A full, comprehensive list of the exported data fields and other pertinent information will be posted on our district website as soon as possible.
Our current understanding indicates that only PowerSchool SIS data was exported. The breach did not affect PowerTeacher Pro (grades), Special Programs, Naviance (a college or career readiness platform), or other teaching and learning tools. Student disciplinary records, counseling records, IEPs, medical records, or 504 plans were not obtained.
In addition to the above data extractions, our IT team has evidence that the Social Security Numbers of former students, who either graduated or transferred out of Spencer-East Brookfield roughly between 2001-2009, were also obtained, as well as the SSNs of some former employees. While we do not generally store SSNs for current staff or students, we have identified a small number of individuals who may have been affected. If your child had protected information noted above that was affected by this incident, we will notify you of the specific category of information through a separate email. This email will be specific to your child and provide contact information in the event you want to follow up directly with school staff.
PowerSchool has reported to the Districts nationwide that it “engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.” PowerSchool further reported that: “Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment.” It further stated: “We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.” Finally, PowerSchool has indicated that, "We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination...We have a video confirming deletion and are actively searching the dark web to confirm.”
PowerSchool has indicated that it will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.
The Spencer-East Brookfield RSD has reported this matter to law enforcement, and our response will continue to be guided by legal counsel. The District intends to fulfill its notification requirements per Massachusetts General Law. We take our commitment to data privacy very seriously, so you can expect an additional update as soon as possible. Thank you for your attention, understanding, and support.
Sincerely Yours,
Christian Gemme
Technology Coordinator
and
Paul S. Haughey, Ed.D.
Superintendent of Schools
Spencer-East Brookfield Regional School District