
(This story was updated to accurately reflect the most current information.)
Data breached in a cyberattack on a California-based software provider may have included names, addresses, social security numbers and other information stored for local schools.
Harbor Creek and Fairview school districts, Mercyhurst Preparatory School and the Saegertown-based Penncrest School District are among PowerSchool customers notified earlier this month that information stored in the company’s cloud-based databases may have been obtained by a hacker who used stolen credentials to log in to a PowerSchool support portal in December.
The security breach was limited to the company’s student information system database, which includes parent and student names and contact information and, in some cases, social security numbers, medical information and student records, Penncrest Superintendent Shawn Ford said in a letter posted on the district website on Jan. 10.
School officials have notified students and staff affected by the breach as well as law enforcement agencies. In the Harbor Creek School District, the breached data did not include sensitive information, technology supervisor Jeff Shumaker said.
“We looked at fields that were downloaded in the breach, and they mainly included what’s considered to be public information rather than the kind of information that the hackers would have been after,” Shumaker said. “We don’t store social security or credit card numbers.”
Staff data was not included in the breach, he said.
Are other schools at risk?
It’s not known how many PowerSchool customers were affected by the breach and if any other Erie area school districts or schools were notified that their data may have been hacked. The company has more than 18,000 customers serving more than 60 million students worldwide, according to USA Today.
Erie, Millcreek, Corry, Iroquois, North East, Northwestern and Wattsburg school districts do not use PowerSchool’s student information system and therefore were not affected by the data breach, officials told the Erie Times-News. Others that do use PowerSchool to store student information, including the General McLane and Union City school districts, were not among those notified that their data may have been breached.
Girard, Fort LeBoeuf, Millcreek and other districts use PowerSchool services for purposes other than student information storage, including business and human resources applications. Those systems were not breached, PowerSchool said.
“PowerSchool’s documentation clearly indicates that none of these (other) products were compromised,” Girard schools Superintendent David Koma said.
The district nevertheless has taken steps to ensure that its data remains protected, Koma said.
“The district has proactively implemented precautionary measures, including blocking and scanning for specific information and IP addresses reported by PowerSchool,” he said.
Next steps
PowerSchool informed customers that the student information system breach has been contained and that there is little risk that stolen data will be misused. The company said that it is working with the FBI and cybersecurity experts to determine who was behind the hack.
PowerSchool has since advised affected customers that the data breach has been resolved and that information acquired by the hackers has been satisfactorily proven to have been destroyed, said Amy Ritzel, director of marketing and communications at Mercyhurst Prep.
And PowerSchool has engaged Experian to provide two years of complimentary identity and credit monitoring services for students and adults whose data was breached, Ritzel said.
Prior students also were affected by the breach, said Fairview schools Superintendent Donald Stark, and PowerSchool is working to notify them. And school I.T. staff has confirmed that there was no breach of school district-operated systems.
“The breach was through PowerSchool. It had nothing to do with our systems,” Stark said.
Officials of local schools affected by the cyberattack continue to monitor the situation and the company’s response.
“Our school administration is actively pressing them for answers and ensuring they provide appropriate support and protection for our community. We have demanded that PowerSchool provide timely updates about their investigation and specific information about available services as soon as possible,” Penncrest’s Ford said.
“Now the question is, do we stay with PowerSchool,” Stark, of Fairview, said. “Are we confident they’ve fixed it?”
What to know:PowerSchool data breach impacts schools
Contact Valerie Myers at vmyers@timesnews.com.