Students in Westerville City Schools are among victims of a global data breach that saw their personal student information hacked, the school district announced Thursday night in an email to parents.
And at least several other central Ohio school districts also use PowerSchool, a software platform that allows districts to manage and store information about class assignments, attendance and more, which reported it was hacked through its PowerSource community-focused customer portal on Dec. 28.
The California-based company, whose website says it serves 60 million students at 18,000 school districts and organizations, told its customers that a large amount of student, family and educator data was dowloaded by the hacker, who demanded money to delete the stolen data. PowerSchool paid the money and the data was deleted, but the company is working with the FBI’s cybsersecurity operation.
On Wednesday, PowerSchool began holding webinars with affected school districts to explain what happened when access was gained through compromised credentials and what information may have been hacked. Not all of PowerSchool’s customers were affected the same way, so school districts affected are expected to notify their staffs, students and parents.
In its email to parents, Westerville City school district said that PowerSchool is still working to identify the scope of the breach, but said that the breach has been contained.
Only data on PowerSchool was breached, and Westerville City school district accounts on other platforms such as Google were not accessed, the district said. The district also noted that they do not store the Social Security numbers of students in PowerSchool.
Westerville City Schools said they are working closely with vendor partners and the district’s IT team to conduct a “thorough review” of the breach. The district also said that the accessed data was deleted and should not be shared publicly. There is no evidence of malware or ongoing unauthorized activity within their systems, according to the district.
Whether several other central Ohio school districts that use PowerSchool were also impacted by the breach could not immediately be confirmed Thursday night.
Olentangy Local School District in Delaware County uses PowerSchool, and its website indicates that second quarter grades would be available on the platform Friday. The largest suburban school district and the fourth largest district in the state, Olentangy’s website did not appear Thursday night to contain any mention of a data breach from its use of PowerSchool. Messages left with district representatives Thursday night were not immediately returned.
Upper Arlington Local School District also uses PowerSchool to provide students and parents portal access to grades, schedules and attendance information for students from K-12. “It is the most important resource for monitoring your student’s progress and finding missing assignments,” the website states. But no mention could be found on the website Thursday night about the PowerSchool data breach.
Karen Truett, spokesperson for the Upper Arlington school district, told The Dispatch on Thursday night that she was aware of the breach but didn’t have any details.
Grandview Heights, Granville Exempted Village, Licking Heights, New Albany-Plain Local Schools, Newark City, and Canal Winchester school districts also use PowerSchool, according to online information, but no mentions about the software company’s breach could be found on their websites Thursday night.
Heath City Schools uses PowerSchool for job application tracking, but does not appear from its website to use it for tracking student information.
Hilliard City Schools appears from online information to use PowerSchool software for its Home Access Center.
In a communication sent to its clients nationwide, PowerSchool said it “become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.
“We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.”
In a statement released to media, PowerSchool said it is “not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers. As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.
“PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously. PowerSchool is committed to providing affected customers, families, and educators with the resources and support they may need as we work through this together.”
Columbus City Schools, the state’s largest school district with some 45,000 students, uses Infinite Campus software for class schedules, assignments, grades, attendance, and more, according to online information.
Also using Infinite Campus are Dublin City School District, Gahanna-Jefferson Public Schools, Pickerington Local School District, South-Western City School District, and Worthington City School District. Worthington schools discontinued its district portal effective Jan. 3.
Madison-Plains Local School District uses ProgressBook software, according to online information.
Grove City Area School District’s website shows no indication that district uses PowerSchool.
smeighan@dispatch.com
@ShahidMeighan
This article originally appeared on The Columbus Dispatch: Power School data breach may impact several central Ohio districts