Area school districts might have been impacted by the cyberattack of a nationwide education software cloud-based platform called PowerSchool, used to store sensitive student data.
PowerSchool, the software company headquartered in Folsom, California, confirmed in a statement the security breach occurred on Dec. 28 through a customer service portal.
PowerSchool told media outlets it believes someone removed two tables in its student information system database that included contact information such as name, address and information for families and teachers.
News reports said the alleged data thief sought money from PowerSchool and the company said it paid the money and the data was deleted.
Northwest Indiana districts that use PowerSchool include Portage Township, Crown Point, Hanover Central, Munster and Hammond.
School districts rely on such software to communicate with parents so they can check their student’s grades, attendance and other data they’re interested in exploring.
PowerSchool’s website said it serves 60 million students at 18,000 organizations in the U.S. and Canada.
Hanover Community Schools Superintendent Mary Tracy-MacAulay said in a Friday email that PowerSchool is still investigating to determine what information was included in the breach.
“Once determined, more information and resources (including credit monitoring or identity protection services, if applicable) will be provided by PowerSchool,” she said.
In Crown Point, spokeswoman Brooke Allen said the district was passing on information from PowerSchool as it receives it.
In a communication with parents, the district said there was no indication it was unsafe to use PowerSchool and they could continue to access the system as normal.
The district finalized fall semester grades as planned and report cards will be available on Jan. 17. Instructions to access the grades will be available in an upcoming newsletter.
The district said it’s continuing to meet with PowerSchool officials to analyze how the incident affects the district.
“We will continue to provide information to parents and staff when it becomes available. We have engaged our own cybersecurity experts to help assess the situation and ensure that the district receives all updated PowerSchool communications and legal compliance information,” the district told parents.
The School City of Hammond reported being affected by the breach as well.
“Fortunately, our schools do not store financial information in PowerSchool for staff or students, limiting the impact of the breach,” Interim Superintendent Brent Wilson said in a statement from the district.
“Upon receiving this information from PowerSchool, the SCH Information Technology Department immediately started an internal investigation and eliminated external support access to the student information system.”
In Munster, Superintendent Bret Heller told parents in a notification that PowerSource said the breach was contained and measures were taken to prevent future unauthorized access.
“Some personal information, such as names, birthdates, contact details and possible other sensitive data, may have been accessed,” he said.
PowerSource told Munster it was working with the FBI in the investigation. “They have received reasonable assurance that the stolen information has been deleted by the unauthorized party, and no further dissemination or misuse is anticipated.”
Heller encouraged families to remain vigilant by monitoring accounts and credit reports.
Portage Township officials shared a similar message to families, said spokeswoman Melissa Deavers-Lowie.
That message also said PowerSchool has confirmed the data was deleted by the source of the breach. “They believe that the data was not shared or made public before it was deleted.”
Portage officials were told the compromised data primarily includes demographic information, such as names and addresses.
PowerSchool Chief Executive Officer Hardeep Gulati said in a statement the software company wasn’t experiencing operational disruptions and service was continuing as normal.
“PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously,” he said.
“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” Gulati said.
“We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”
Gulati said PowerSchool doesn’t anticipate the misuse of personal information, but it will be providing credit monitoring to affected adults and identity protection services to affected minors.
Carole Carlson is a freelance reporter for the Post-Tribune.