Dear Randolph Families and Colleagues,
We are writing to share information about a data breach that has affected our school district and many others around the state, nation, and globe. We have been notified by PowerSchool, the company that provides the student information system used by our District, of a cybersecurity incident affecting their systems. PowerSchool has informed us that this incident involved unauthorized access to their data systems globally between the dates of 12/19 and 12/28. We want to share our current understanding of this incident and how it has affected Randolph Public Schools students and staff. This situation is concerning to all of us and we are actively working to get more information.
Summary of events: On January 8, PowerSchool informed us that a threat actor compromised their company-level security. The actor was able to use a PowerSchool remote support tool to access many districts’ data across multiple countries. We have confirmed locally that this included the Randolph Public Schools. PowerSchool has assured its customers that the incident has been contained prior to any of the stolen data being disseminated. Their response team has stated that there is no evidence of continued unauthorized activity and that they have taken a number of security steps to protect their clients. Our local review of our system supports the timelines for unauthorized access presented by PowerSchool.
PowerSchool has expressed that:
1. They do not anticipate the data being shared or made public. PowerSchool contracted multiple vendors with experience in this kind of situation to help contain and respond to the threat. The response team believes the data accessed has been irrevocably destroyed without any replication or dissemination. PowerSchool said it did not experience a ransomware attack, but that the company was extorted into paying a financial sum to prevent the hackers from leaking the stolen data.
2. They are working with a cybersecurity technology company to monitor the public domain to ensure the data was not and will not be reshared.
3. They are working with federal agencies to identify the actor(s) involved.
What Randolph Public Schools data was affected? This incident resulted in the downloading of student and staff demographic data located in the Randolph Public Schools PowerSchool system (including names, addresses, phone numbers, email addresses, student ID numbers and birthdates, and staff ID numbers). The data did NOT include any passwords, credit card information, legal documents used during student registration, photos, or other educational information about students or staff. Student health records were NOT included, although if a health alert was included in a student’s demographic data (such as a food allergy) that may have been included. Social Security numbers and dates of birth of staff stored in the part of the system that was accessed were compromised. Again, PowerSchool has indicated that they believe all the data that was downloaded has been destroyed at this time.
What are the next steps? We learned as much as we could in a webinar hosted by PowerSchool’s senior executives on Wednesday 1/9 from 3pm to 4pm. Based on the information provided to us we ask that you note:
- There will be additional information available in the coming days and/or week as they complete a full investigation.
- PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations, with more details to come.
- Because no passwords were accessed for student, staff, or parent portal accounts, and because of the process we use to log in to PowerSchool, there is no need for password changes in the district at this time.
- A major factor in this incident was the lack of multi-factor authentication (MFA) in accessing the resource used to steal the data. Though the breach did not have anything to do with user accounts here at Randolph, it does highlight the ever increasing need to use best practice to secure access to our systems. We will be issuing guidance to staff in the upcoming weeks on how to turn on MFA with varying options for its use. It is in everyone’s best interest that all members of Randolph Public Schools participate.
What steps should you take at this time? While PowerSchool continues to investigate, we recommend the following precautionary measures:
Monitor your district computer accounts: Keep a close eye on your accounts and report any suspicious activity to the tech support team in your building (staff) or email techprob@Randolph.k12.ma.us (parents).
Be cautious of phishing: Be vigilant about unexpected emails or calls requesting personal or school information.
We are working hard to do everything possible to prevent cybersecurity issues with the systems that are under our control, and we are deeply concerned that this breach in the PowerSchool global system compromised some of our data. When there is further guidance from PowerSchool or we receive other information, we will provide you with an update. You may also receive updates directly from PowerSchool.
Sincerely,
Dr. Thea Stovell Herndon, Superintendent
Jim Puccio, Director of Technology
Sean Walsh, Director of Human Resources