At least three MetroWest school districts were affected by a nationwide data breach linked to the school software company PowerSchool.
Wellesley, Millis and Hopkinton were among the Massachusetts school districts affected by the data breach, which could have compromised school district information, including personal information about teachers and students.
In an email sent to parents, Wellesley Superintendent of Schools David Lussier and Director of Educational Technology Adam Steiner said they would investigate the breach.
“In a webinar held this afternoon (Jan. 8), officials from PowerSchool stated that the information breach was part of a targeted attack where a compromised credential in PowerSchool’s customer support portal was used to find and download a large amount of data from schools nationwide,” the Wellesley email reads. “The information accessed pertains to students, families and educators.”
According to the two, PowerSchool learned of the attack when the perpetrator informed the company of the breach and asked for payment to destroy the data.
“PowerSchool officials said they paid the perpetrator an undisclosed amount of money in exchange for video evidence that the data was deleted,” Lussier and Steinber wrote. “PowerSchool officials stated that they believe there are no additional copies of the data and that the data will not be shared with the public.”
Wellesley Public Schools said it will compile a list of information included in the breach. No banking or credit information is collected by PowerSchool, and no photos were included in the breach.
PowerSchool data breach affects schools nationwide
According to WHDH, Millis Public Schools was also affected by the breach. NBC Boston also reported that Hopkinton Public Schools was impacted.
In a statement to WCVB-TV, PowerSchool confirmed the breach but said it is not experiencing any disruptions. The Folsom, California-based company became aware of a “potential cybersecurity incident” in late December.
“PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers,” the company’s statement reads. “As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.”
The statement continued: “PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously. PowerSchool is committed to providing affected customers, families, and educators with the resources and support they may need as we work through this together.”
According to its website, PowerSchool is a provider of cloud-based software for K-12 education, connecting the central office to the classroom to the home. It was acquired in October by Boston-based Bain Capital in a $5.6 billion deal, the company reported on the website.