May 9, 2025

To: Parents, Guardians, and Staff
From: Collegiate Charter School of Lowell
Subject: Important Update Regarding PowerSchool Data Security

Dear Families and Educators of Collegiate Charter School of Lowell:

We were notified today of a recent development related to the cybersecurity incident PowerSchool experienced in December 2024. In our commitment to transparency we are sharing their communication below.

We want to assure everyone that as of this writing we have not been contacted by the threat actors and no extortion threats have been made to our school.  We will keep you informed if the situation changes.

We are writing to inform you of a recent development related to the cybersecurity incident PowerSchool experienced in December 2024.
PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident. PowerSchool does not believe this is a new incident.

Please be assured that both PowerSchool and Collegiate Charter School of Lowell are taking this situation very seriously. PowerSchool has informed us they are working with cybersecurity experts to thoroughly assess this development and have reported it to law enforcement in both Canada and the United States.

As a reminder, following that incident PowerSchool also offered and made widely available credit monitoring and identity protection services for a period of two years to students and faculty of Collegiate Charter School of Lowell regardless of whether they were individually involved. We encourage all those who were offered these services to take advantage of them by clicking here.

As was reported earlier this year, PowerSchool made the decision to pay a ransom because they believed it to be in the best interest of their customers and the students and communities they serve. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided PowerSchool.

We wanted to share this update as part of our ongoing commitment to transparency. We remain committed to working closely with PowerSchool and law enforcement to provide support in any way we can.

Sincerely,
Collegiate Charter School of Lowel

February 5, 2025

To: Parents, Guardians, and Staff
From: Collegiate Charter School of Lowell
Subject: PowerSchool Cybersecurity Incident Update 

Dear Collegiate Charter School Community –

We are writing to update you regarding the recent cybersecurity incident involving PowerSchool, the software vendor that provides our Student Information System (SIS).

On Wednesday, January 29, 2025, PowerSchool initiated the process of notifying individuals whose information was determined to be involved.

As previously mentioned, PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services to current and former students and educators that had information exfiltrated from PowerSchool SIS. PowerSchool is doing this regardless of whether an individual’s Social Security Number was exfiltrated. In the coming weeks, Experian (on behalf of PowerSchool) will be distributing direct email notifications to involved individuals (or their parent/guardian, as applicable) for whom PowerSchool has sufficient contact information.

Additionally, PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with these offerings and the incident. All the information regarding the activation of and access to these services will be included in the email sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate the offering from Experian, linked here.

Protecting our students and teachers remains our top priority. Thank you again for all of your support and understanding during this time. 

Sincerely,​
Collegiate Charter School of Lowell

January 9, 2025

Subject: Important Information Regarding a Recent Cybersecurity Incident

Dear Collegiate Charter School of Lowell Community:

This message is to inform you of a recent cybersecurity incident that occurred on December 22, 2024, involving unauthorized access to certain student information within the PowerSchool Student Information System (SIS).

What Happened:

• On Tuesday, January 7th, we were notified by PowerSchool of a data breach which occurred within PowerSchool’s customer support portal on December 22^nd.
• An unauthorized party gained access to certain SIS customer data, including Collegiate Charter School of Lowell data, through a compromised PowerSchool Administrator’s account.
• PowerSchool does not anticipate the data being shared or made public, and they believe that it has been deleted without any further replication or dissemination.

• The information accessed includes data including name, address, and phone number for current and former students and staff.
• Student and Staff email and computer account login were NOT compromised.

Steps Taken:

• PowerSchool immediately engaged their cybersecurity response team and law enforcement.
• The compromised PowerSchool support account was deactivated, and access to the affected portal has been restricted.
• Collegiate deactivated and reissued parent access codes and passwords to ensure further security.  This will not impact current parent portal access.
• An incident report from a 3rd party contracted by PowerSchool is expected by January 17th.

Collegiate Charter School understands this news may cause concern, and we sincerely apologize for this incident. We are committed to protecting the privacy and security of your information and working closely with you to address any concerns you may have.  We will continue to update you as the situation evolves. Although we don’t anticipate any issues, out of an abundance of precautions we urge you to monitor your accounts and report anything suspicious.

If you have any questions or concerns, please contact Christian Simard, Director of Technology at IT@CollegiateLowell.org.

Sincerely,

Adam Bakr
Executive Director
Collegiate Charter School of Lowell

Q. How did this data breach happen?

1. On January 7, 2025, Collegiate Charter School of Lowell was notified by PowerSchool, the largest provider of cloud-based education software for K-12 education in the U.S., about a widespread internal data breach. This breach affected school districts nationwide, including several Massachusetts schools. Unfortunately, the breach resulted in the disclosure of Collegiate student and staff’s personally identifiable information (PII) to an unauthorized third party.

   PowerSchool stated that a support contractor’s login account was compromised which allowed authorized access into many of their clients’ data systems.

Q. When did the data breach occur?

1. The unauthorized access to our district’s data occurred on December 22, 2024, at 6:14PM and again at 9:04PM.

Q. When was PowerSchool first alerted about the data breach?

1. PowerSchool become aware of the breach on December 28, 2024, when the attackers contacted them with an extortion demand in exchange for destroying the data.

Q. When was Collegiate first alerted about the breach?

1. PowerSchool notified Collegiate of the breach on January 7, 2025 around 2PM via email.

Q. Did PowerSchool pay the extortion demand?

1. PowerSchool did confirm that they paid the attackers an undisclosed amount of money in exchange for video proof that the electronic destruction of the stolen data happened.

Q. Does Collegiate use other PowerSchool products? Were those affected?

1. Collegiate does use other products from PowerSchool, but those were not affected according to PowerSchool. This was only a breach with the Student Information System (SIS).

Q. What specific Personal Identifiable Information (PII) was exposed?

1. Please refer to the tables in the other sections below, where those are explained. There were two database tables, Students and Teachers, that were exposed.

Q. Was Private Health Information (PHI) exposed?

1. No medical records were disclosed, however some medical alerts and physician information related to students were.

Q. Were staff or student social security numbers exposed?

1. Current and former students: no, these were no instances of any social security numbers compromised, because we do not store those in PowerSchool.
   
   However, for 1 staff member we have discovered that their social security number was included in this data breach, and we have notified them directly.

Q. Is PowerSchool SIS safe to use?

1. PowerSchool has continued to assure us that it is. There were no passwords compromised to our systems and no data was tampered with. PowerSchool assured Collegiate that they will continue to make improvements and place safeguards to further protect the system.

Q. Is there a potentional backdoor access to our SIS?

1. PowerSchool has been working CrowdStrike, a top-leading cybersecurity organization, to conduct further forensic analysis of all logs during the events. They have stated they will provide more information as they get them. At this time, PowerSchool does not feel any backdoor access was created. PowerSchool has also confirmed that have taken immediate action to ensure the previous access obtained is restricted.

Q. What is Collegiate doing to protect the privacy and safety of staff and student data?

1. As always, we are conintuning to review all of our digital systems to ensure they are as secure and safe as possible. This includes audits, phishing trainings and simulations, automated account management tools, and continuing to require multi-factor authentication.

Q. Does PowerSchool offer identity or credit monitoring to those affected by the data breach?

1. PowerSchool has stated that further information is to follow regarding this, as they are looking into offering those services.

Thank you to a sister Massachusetts district for providing some of these questions and formatting.