February 5, 2025

To: Parents, Guardians, and Staff
From: Collegiate Charter School of Lowell
Subject: PowerSchool Cybersecurity Incident Update 

Dear Collegiate Charter School Community –

We are writing to update you regarding the recent cybersecurity incident involving PowerSchool, the software vendor that provides our Student Information System (SIS).

On Wednesday, January 29, 2025, PowerSchool initiated the process of notifying individuals whose information was determined to be involved.

As previously mentioned, PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services to current and former students and educators that had information exfiltrated from PowerSchool SIS. PowerSchool is doing this regardless of whether an individual’s Social Security Number was exfiltrated. In the coming weeks, Experian (on behalf of PowerSchool) will be distributing direct email notifications to involved individuals (or their parent/guardian, as applicable) for whom PowerSchool has sufficient contact information.

Additionally, PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with these offerings and the incident. All the information regarding the activation of and access to these services will be included in the email sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate the offering from Experian, linked here.

Protecting our students and teachers remains our top priority. Thank you again for all of your support and understanding during this time. 

Sincerely,​
Collegiate Charter School of Lowell

January 9, 2025

Subject: Important Information Regarding a Recent Cybersecurity Incident

Dear Collegiate Charter School of Lowell Community:

This message is to inform you of a recent cybersecurity incident that occurred on December 22, 2024, involving unauthorized access to certain student information within the PowerSchool Student Information System (SIS).

What Happened:

• On Tuesday, January 7th, we were notified by PowerSchool of a data breach which occurred within PowerSchool’s customer support portal on December 22^nd.
• An unauthorized party gained access to certain SIS customer data, including Collegiate Charter School of Lowell data, through a compromised PowerSchool Administrator’s account.
• PowerSchool does not anticipate the data being shared or made public, and they believe that it has been deleted without any further replication or dissemination.

• The information accessed includes data including name, address, and phone number for current and former students and staff.
• Student and Staff email and computer account login were NOT compromised.

Steps Taken:

• PowerSchool immediately engaged their cybersecurity response team and law enforcement.
• The compromised PowerSchool support account was deactivated, and access to the affected portal has been restricted.
• Collegiate deactivated and reissued parent access codes and passwords to ensure further security.  This will not impact current parent portal access.
• An incident report from a 3rd party contracted by PowerSchool is expected by January 17th.

Collegiate Charter School understands this news may cause concern, and we sincerely apologize for this incident. We are committed to protecting the privacy and security of your information and working closely with you to address any concerns you may have.  We will continue to update you as the situation evolves. Although we don’t anticipate any issues, out of an abundance of precautions we urge you to monitor your accounts and report anything suspicious.

If you have any questions or concerns, please contact Christian Simard, Director of Technology at IT@CollegiateLowell.org.

Sincerely,

Adam Bakr
Executive Director
Collegiate Charter School of Lowell

Q. How did this data breach happen?

1. On January 7, 2025, Collegiate Charter School of Lowell was notified by PowerSchool, the largest provider of cloud-based education software for K-12 education in the U.S., about a widespread internal data breach. This breach affected school districts nationwide, including several Massachusetts schools. Unfortunately, the breach resulted in the disclosure of Collegiate student and staff’s personally identifiable information (PII) to an unauthorized third party.

   PowerSchool stated that a support contractor’s login account was compromised which allowed authorized access into many of their clients’ data systems.

Q. When did the data breach occur?

1. The unauthorized access to our district’s data occurred on December 22, 2024, at 6:14PM and again at 9:04PM.

Q. When was PowerSchool first alerted about the data breach?

1. PowerSchool become aware of the breach on December 28, 2024, when the attackers contacted them with an extortion demand in exchange for destroying the data.

Q. When was Collegiate first alerted about the breach?

1. PowerSchool notified Collegiate of the breach on January 7, 2025 around 2PM via email.

Q. Did PowerSchool pay the extortion demand?

1. PowerSchool did confirm that they paid the attackers an undisclosed amount of money in exchange for video proof that the electronic destruction of the stolen data happened.

Q. Does Collegiate use other PowerSchool products? Were those affected?

1. Collegiate does use other products from PowerSchool, but those were not affected according to PowerSchool. This was only a breach with the Student Information System (SIS).

Q. What specific Personal Identifiable Information (PII) was exposed?

1. Please refer to the tables in the other sections below, where those are explained. There were two database tables, Students and Teachers, that were exposed.

Q. Was Private Health Information (PHI) exposed?

1. No medical records were disclosed, however some medical alerts and physician information related to students were.

Q. Were staff or student social security numbers exposed?

1. Current and former students: no, these were no instances of any social security numbers compromised, because we do not store those in PowerSchool.
   
   However, for 1 staff member we have discovered that their social security number was included in this data breach, and we have notified them directly.

Q. Is PowerSchool SIS safe to use?

1. PowerSchool has continued to assure us that it is. There were no passwords compromised to our systems and no data was tampered with. PowerSchool assured Collegiate that they will continue to make improvements and place safeguards to further protect the system.

Q. Is there a potentional backdoor access to our SIS?

1. PowerSchool has been working CrowdStrike, a top-leading cybersecurity organization, to conduct further forensic analysis of all logs during the events. They have stated they will provide more information as they get them. At this time, PowerSchool does not feel any backdoor access was created. PowerSchool has also confirmed that have taken immediate action to ensure the previous access obtained is restricted.

Q. What is Collegiate doing to protect the privacy and safety of staff and student data?

1. As always, we are conintuning to review all of our digital systems to ensure they are as secure and safe as possible. This includes audits, phishing trainings and simulations, automated account management tools, and continuing to require multi-factor authentication.

Q. Does PowerSchool offer identity or credit monitoring to those affected by the data breach?

1. PowerSchool has stated that further information is to follow regarding this, as they are looking into offering those services.

Thank you to a sister Massachusetts district for providing some of these questions and formatting.