PowerSchool Data Breach Information
- Message from the Superintendent
- PowerSchool's Timeline and Steps
- FAQ
- Student Data Fields
- Staff Data Fields
Message from the Superintendent
Dear Holliston Community,
We are writing to let you know that on the afternoon of January 7, 2025, we were informed by PowerSchool that on December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of its community-focused customer support portals, PowerSource. PowerSchool has indicated an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential of a PowerSchool employee. At this time, we know that the breach was limited to PowerSchool SIS and PowerSchool’s Special Programs and PowerTeacher Gradebook were not breached. Although the unauthorized person and compromised credential was not associated with Holliston Public Schools, HPS District data was accessed.
Specifically, PowerSchool reported that it:
“Believe[s] the export data manager tool was used to extract only student and teacher tables. These tables primarily include contact information with data elements such as name and address information. For a subset of the customers, these tables contain Personally Identifiable Information (PII), some medical information, and other alerts for current and former students depending on the specific school district.”
PowerSchool has reported to the District that it “engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.” PowerSchool further reported that: “Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment.” It further stated: “We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.” Finally, PowerSchool has indicated that: “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination. . . .We have a video confirming deletion and are actively searching the dark web to confirm.”
We believe that we may have been partially impacted by this breach. We are following up with PowerSchool to find out more information on how the District was specifically affected and for more details on the incident. As we receive more information, we will relay this to families and the community and to any specific individuals impacted. The District is reviewing what occurred internally and whether we need to take additional security measures on our end. We have already taken measures prior to this event to prevent our staff and student data from being compromised. To reiterate, this was not a data breach associated with any staff or any credentials of Holliston Public Schools.
Here are the steps we have already taken and will continue to expand:
- Require vendors to sign legally-binding student data privacy agreements
- Enable multi factor authentication on staff accounts
- Modify and standardize data access based on role
- Require cyber training for staff with high level access to student and financial data
- Require District-wide cyber training for all staff on January 17, 2025
If you have any questions, please do not hesitate to reach out to Dan MacLeod, Director of Technology & Digital Learning, at macleodd@holliston.k12.ma.
Sincerely,
Dr. Susan Kustka
Superintendent
PowerSchool's Timeline and Steps
- How did this data breach happen?
- When did the data breach occur?
- When was the district first alerted about the breach?
- Did PowerSchool pay the extortion demand?
- Does the District use other PowerSchool products? Were they affected?
How did this data breach happen?
On January 7, 2025, Holliston Public Schools were notified by PowerSchool, the largest provider of cloud-based education software for K-12 education in the U.S., about a widespread internal data breach. This breach affected school districts nationwide. Unfortunately, the breach resulted in the disclosure of Holliston's staff’s personally identifiable information (PII) to an unauthorized third party.
PowerSchool stated that a support contractor’s login account was compromised which allowed authorized access into many of their clients’ data systems.
When did the data breach occur?
When was the district first alerted about the breach?
Did PowerSchool pay the extortion demand?
Does the District use other PowerSchool products? Were they affected?
FAQ
- What specific Personal Identifiable Information (PII) was exposed?
- Was Private Health Information (PHI) exposed?
- Were staff or students social security numbers exposed?
- Is PowerSchool SIS currently safe to use?
- What about the potential for backdoor access to PowerSchool SIS?
- What is the district doing to protect the safety and privacy of student and staff data?
- Will PowerSchool provide identity or credit monitoring to those individuals affected by the data breach?
- Who to contact if I still have questions
What specific Personal Identifiable Information (PII) was exposed?
Please refer to the table below for detailed information on the data fields included in the breach. Two tables from within PowerSchool SIS were exported: “Students_export.csv” and “Teachers_export.csv”. From reviewing available log data, we were able to reconstruct the fields exported by the unauthorized user. We have also included summary statistics regarding the percentage of those fields containing actual data.
Was Private Health Information (PHI) exposed?
Were staff or students social security numbers exposed?
Current students and staff: Social Security numbers are not actively stored in PowerSchool SIS, so no Social Security numbers were disclosed.
Former students and staff: Social Security numbers were not actively stored in PowerSchool SIS, so no Social Security numbers were disclosed.
Out of district students: Social Security numbers are not actively stored in PowerSchool SIS, so no Social Security numbers were disclosed.
Is PowerSchool SIS currently safe to use?
What about the potential for backdoor access to PowerSchool SIS?
What is the district doing to protect the safety and privacy of student and staff data?
- Require vendors to sign legally-binding student data privacy agreements
- Enable multi factor authentication on staff accounts
- Modify and standardize data access based on role
- Require cyber training for staff with high level access to student and financial data
- Require District-wide cyber training for all staff on January 17, 2025
Will PowerSchool provide identity or credit monitoring to those individuals affected by the data breach?
Who to contact if I still have questions
Student Data Fields
PowerSchool Data Field Name |
Field Description |
Percentage of breached records containing data in this field |
STUDENTS.ID |
Unique identifier for a student in the system. |
100% |
STUDENTS.dcid |
random number |
100% |
STUDENTS.Enroll_Status |
data is a 0, 1, 2, 3 or 4 |
68% |
STUDENTS.Enrollment_SchoolID |
DESE code for the school |
100% |
STUDENTS.DOB |
The student’s date of birth. |
100% |
STUDENTS.EnrollmentID |
Number associated to student’s enrollment record. |
100% |
STUDENTS.EntryDate |
Date the student entered the school or district. |
100% |
STUDENTS.Exclude_fr_rank |
Data is set to false |
100% |
STUDENTS.ExitDate |
The date the student exited the school or district. |
100% |
STUDENTS.Father_StudentCont_guid |
Unique ID - random string of numbers |
100% |
STUDENTS.First_Name |
The student’s first name. |
100% |
STUDENTS.Guardian_StudentCont_guid |
Unique ID - random string of numbers |
100% |
STUDENTS.Last_Name |
The student’s last name. |
100% |
STUDENTS.LastFirst |
The student’s full name in "Last Name, First Name" format. |
100% |
STUDENTS.Log |
date stamp |
100% |
STUDENTS.LunchStatus |
Data taken was either a 0 or 1. |
100% |
STUDENTS.MembershipShare |
data is "1" |
100% |
STUDENTS.Mother_StudentCont_guid |
Unique ID - random string of numbers |
100% |
STUDENTS.Person_ID |
Unique ID - random string of numbers |
100% |
STUDENTS.Sched_LoadLock |
Data taken was either true or false |
100% |
STUDENTS.Sched_LockStudentSchedule |
Data taken was either true or false |
100% |
STUDENTS.Sched_Scheduled |
Data taken was either true or false |
100% |
STUDENTS.SchoolID |
DESE school identifier number |
100% |
STUDENTS.State |
The state where the student resides. |
59% |
STUDENTS.State_EnrollFlag |
Data is either true or false. |
100% |
STUDENTS.State_ExcludeFromReporting |
Data is either true or false. |
100% |
STUDENTS.Student_Number |
The unique student number within the district. |
100% |
STUDENTS.StudentPers_guid |
Unique identifier for the student’s personal record, long string. |
100% |
STUDENTS.StudentPict_guid |
Unique identifier for the student’s picture record. Note: students' photos were NOT included in the data breach. |
100% |
STUDENTS.StudentSchlEnrl_guid |
Unique identifier for the student’s school enrollment record. |
100% |
STUDENTS.TRANSACTION_DATE |
Date stamp |
100% |
STUDENTS.City |
The city of the student’s residence. |
59% |
STUDENTS.Gender |
The student’s gender. |
99% |
STUDENTS.Street |
The street address of the student’s residence. |
59% |
STUDENTS.Zip |
The zip code of the student’s residence or mailing address. |
|
STUDENTS.FTEID |
Data are numbers such as 0, 1, 2, 4, 5, etc. |
100% |
STUDENTS.WHOMODIFIEDTYPE |
A, N or X |
100% |
STUDENTS.ClassOf |
The graduation year for the student. |
59% |
STUDENTS.State_StudentNumber |
The unique state-level identifier for the student. |
99% |
STUDENTS.Home_Phone |
The student’s home phone number. |
54% |
STUDENTS.Sched_NextYearGrade |
The grade level for the student in the next school year. |
57% |
STUDENTS.Sched_YearOfGraduation |
The student’s expected year of graduation. |
49% |
STUDENTS.Grade_Level |
The current grade level of the student. |
97% |
STUDENTS.PhotoFlag |
0 or 1 |
53% |
STUDENTS.Student_Web_ID |
PowerSchool username |
42% |
STUDENTS.EntryCode |
1, 2, or 3 |
95% |
STUDENTS.TransferComment |
Comments regarding the student’s transfer - lists the school they are coming from or going to |
64% |
STUDENTS.Mailing_City |
The city listed on the student’s mailing address. |
59% |
STUDENTS.Mailing_Street |
The street address for the student’s mailing address. |
59% |
STUDENTS.Mailing_Zip |
The zip code for the student’s mailing address. |
59% |
STUDENTS.Mailing_State |
The state listed on the student’s mailing address. |
59% |
STUDENTS.Web_ID |
6 digit random number |
53% |
STUDENTS.Student_AllowWebAccess |
0 or 1 |
37% |
STUDENTS.AllowWebAccess |
0 or 1 |
53% |
STUDENTS.Mother |
The name of the student’s mother. |
53% |
STUDENTS.Middle_Name |
The student’s middle name. |
98% |
STUDENTS.Doctor_Name |
The name of the student's primary doctor. |
52% |
STUDENTS.Doctor_Phone |
The phone number for the student’s doctor. |
52% |
STUDENTS.Father |
The name of the student’s father. |
52% |
STUDENTS.Ethnicity |
The student’s ethnicity as self-reported or recorded. |
77% |
STUDENTS.DistrictEntryDate |
The date the student first entered the district. |
57% |
STUDENTS.SchoolEntryDate |
The date the student first entered the current school. |
23% |
STUDENTS.Bus_Route |
data ranges from the student's first name to bus numbers |
0% |
STUDENTS.Bus_Stop |
most data has the student's last name |
0% |
STUDENTS.Lunch_ID |
4 digits |
3% |
STUDENTS.Next_School |
The next school the student is expected to attend. |
37% |
STUDENTS.LDAPEnabled |
0 or 1 |
0% |
STUDENTS.Home_Room |
For some students, this lists their homeroom as a classroom number. |
47% |
STUDENTS.ExitCode |
Number from 1 to 16 |
66% |
STUDENTS.ExitComment |
specifies the school the student is now attending |
23% |
STUDENTS.Locker_Combination |
The combination for the student’s locker. |
12% |
STUDENTS.Locker_Number |
The number of the locker assigned to the student. |
12% |
STUDENTS.IP_ADDRESS |
last IP address that PS was used from by the student |
95% |
STUDENTS.Emerg_Contact_1 |
The first emergency contact for the student. |
46% |
STUDENTS.Emerg_Phone_1 |
Phone number of the first emergency contact. |
46% |
STUDENTS.WHOMODIFIEDID |
number from 0-7000 |
95% |
STUDENTS.Graduated_SchoolID |
DESE school code |
7% |
STUDENTS.Graduated_SchoolName |
Name of the school from which the student graduated. |
7% |
STUDENTS.Sched_Priority |
0, 1, 2, 3,or 4 |
36% |
STUDENTS.DistrictOfResidence |
The district where the student resides. |
15% |
STUDENTS.Geocode |
Geographical code for the student’s residence. |
1% |
STUDENTS.Mailing_Geocode |
Geographical code for the student’s mailing address. |
1% |
STUDENTS.DistrictEntryGradeLevel |
The grade level of the student upon entry into the district. |
13% |
STUDENTS.SchoolEntryGradeLevel |
The grade level of the student when entering the current school. |
13% |
STUDENTS.Alert_Medical |
Used for medical alerts for life-threatening allergies, etc. |
7% |
STUDENTS.Track |
Letter A-F, used during COVID |
3% |
STUDENTS.GradReqSetID |
0 or 1 |
4% |
STUDENTS.FedEthnicity |
Federal designation of the student’s ethnicity - listed as a number |
6% |
STUDENTS.Emerg_Contact_2 |
The second emergency contact for the student. |
38% |
STUDENTS.Emerg_Phone_2 |
Phone number of the second emergency contact. |
38% |
STUDENTS.Team |
use for middle school team designation (7-1, 7-2) |
0% |
STUDENTS.Sched_NextYearHomeRoom |
The homeroom assigned to the student for the next school year. |
15% |
STUDENTS.Alert_Other |
note field |
7% |
STUDENTS.GuardianEmail |
Email address of the student’s guardian. |
23% |
STUDENTS.Building |
The building where the student is enrolled. |
0% |
STUDENTS.Alert_OtherExpires |
The date when the other alert expires. |
0% |
STUDENTS.Alert_Guardian |
notes field - used for court order information |
1% |
STUDENTS.SummerSchoolNote |
lists the summer school attended |
0% |
STUDENTS.Applic_Response_Recvd_Date |
date |
0% |
STUDENTS.GradReqSet |
1 or 8 |
0% |
STUDENTS.Applic_Submitted_Date |
The date when the student's application was submitted. |
0% |
STUDENTS.Alert_GuardianExpires |
The date when the guardian alert expires. |
0% |
STUDENTS.Enrollment_Transfer_Info |
Details about the student’s transfer - only found on 4 records |
0% |
STUDENTS.Alert_MedicalExpires |
The date when the medical alert expires. |
0% |
STUDENTS.TuitionPayer |
0 or 1 |
3% |
STUDENTS.EnrollmentCode |
-1, 1 or 2 |
0% |
STUDENTS.Sched_NextYearBuilding |
The building where the student is expected to be enrolled next year. |
0% |
STUDENTS.Alert_Discipline |
Indicates if the student has any disciplinary alerts. |
0% |
STUDENTS.Family_Ident |
number |
35% |
STUDENTS.SSN |
The student’s Social Security Number (only 1 student -will notify individually) |
0% |
STUDENTS.Alert_DisciplineExpires |
The date when the disciplinary alert expires. |
0% |
STUDENTS.Balance1 |
blank |
0% |
STUDENTS.Balance2 |
blank |
0% |
STUDENTS.Balance3 |
blank |
0% |
STUDENTS.Balance4 |
blank |
0% |
STUDENTS.CampusID |
blank |
0% |
STUDENTS.Cumulative_GPA |
blank |
0% |
STUDENTS.Cumulative_Pct |
blank |
0% |
STUDENTS.CustomRank_GPA |
blank |
0% |
STUDENTS.Enrollment_Transfer_Date_Pend |
blank |
0% |
STUDENTS.EnrollmentType |
blank |
0% |
STUDENTS.FedRaceDecline |
blank |
0% |
STUDENTS.Fee_Exemption_Status |
blank |
0% |
STUDENTS.FullTimeEquiv_obsolete |
blank |
0% |
STUDENTS.GPEntryYear |
blank |
0% |
STUDENTS.Graduated_Rank |
blank |
0% |
STUDENTS.GuardianFax |
blank |
0% |
STUDENTS.House |
blank |
0% |
STUDENTS.LastMeal |
blank |
0% |
STUDENTS.Phone_ID |
blank |
0% |
STUDENTS.PL_Language |
blank |
0% |
STUDENTS.Sched_NextYearBus |
blank |
0% |
STUDENTS.Sched_NextYearHouse |
blank |
0% |
STUDENTS.Sched_NextYearTeam |
blank |
0% |
STUDENTS.SDataRN |
blank |
0% |
STUDENTS.Simple_GPA |
blank |
0% |
STUDENTS.Simple_PCT |
blank |
0% |
STUDENTS.Student_Web_Password |
blank |
42% |
STUDENTS.SummerSchoolID |
blank |
0% |
STUDENTS.TeacherGroupID |
blank |
0% |
STUDENTS.Web_Password |
blank |
53% |
STUDENTS.Withdrawal_Reason_Code |
blank |
0% |
STUDENTS.WM_Address |
blank |
0% |
STUDENTS.WM_CreateDate |
blank |
0% |
STUDENTS.WM_CreateTime |
blank |
0% |
STUDENTS.WM_Password |
blank |
0% |
STUDENTS.WM_Status |
blank |
0% |
STUDENTS.WM_StatusDate |
blank |
0% |
STUDENTS.WM_TA_Date |
blank |
0% |
STUDENTS.WM_TA_Flag |
blank |
0% |
STUDENTS.WM_Tier |
blank |
0% |
Staff Data Fields
PowerSchool Data Field Name |
Field Description | Percentage of breached records containing data in this field |
TEACHERS.ID | Unique identifier for each record. | 100% |
TEACHERS.dcid | Internal database identifier for the record. | 100% |
TEACHERS.DefaultStudScrn | Default screen displayed for students. | 100% |
TEACHERS.First_Name | User's first name. | 100% |
TEACHERS.GradebookType | Type of gradebook assigned to the user. | 100% |
TEACHERS.Group | Group or category the user belongs to. | 100% |
TEACHERS.Last_Name | User's last name. | 100% |
TEACHERS.LastFirst | User's name displayed as last name, first name. | 100% |
TEACHERS.Sched_IsTeacherFree | Indicates if the teacher is free during scheduling. | 100% |
TEACHERS.Sched_Lunch | Scheduled lunch period. | 100% |
TEACHERS.Sched_Scheduled | Indicates if the schedule is finalized. | 100% |
TEACHERS.Sched_Substitute | Indicates if the user is a substitute teacher. | 100% |
TEACHERS.Sched_TeacherMoreOneSchool | Indicates if the teacher works at multiple schools. | 100% |
TEACHERS.Sched_UseBuilding | Indicates if building-specific scheduling is used. | 100% |
TEACHERS.Sched_UseHouse | Indicates if house-specific scheduling is used. | 100% |
TEACHERS.StaffPers_guid | Unique identifier for staff personnel. | 100% |
TEACHERS.TeacherNumber | Unique identifier for teachers. | 100% |
TEACHERS.Users_DCID | Unique identifier for users in the database. | 100% |
TEACHERS.Status | Current status of the user's account (e.g., active, inactive). | 100% |
TEACHERS.Email_Addr | User's email address. | 96% |
TEACHERS.StaffStatus | Employment status of the staff member (0-4) | 100% |
TEACHERS.HomeSchoolId | Identifier for the user's home school. | 100% |
TEACHERS.SIF_StatePrid | State-provided unique identifier. | 80% |
TEACHERS.SchoolID | Identifier for the school. | 100% |
TEACHERS.Home_Phone | User's home phone number. | 78% |
TEACHERS.NameAsImported | Name as originally imported into the system. | 76% |
TEACHERS.PSAccess | Access permissions for PowerSchool. | 100% |
TEACHERS.PTAccess | Access permissions for parent/teacher portals. | 100% |
TEACHERS.TeacherLoginID | Login ID for the teacher. | 72% |
TEACHERS.Ethnicity | User's self-reported ethnicity (1 letter) | 87% |
TEACHERS.Photo | 0 or 1 | 100% |
TEACHERS.Title | User's title or position. | 48% |
TEACHERS.Middle_Name | User's middle name. | 23% |
TEACHERS.CanChangeSchool | Indicates if the user can switch between schools in the system. | 39% |
TEACHERS.Log | Log of the user's activities or changes. | 32% |
TEACHERS.LoginID | User's unique login ID. | 36% |
TEACHERS.Homeroom | User's assigned homeroom. | 1% |
TEACHERS.Sched_MaximumConsecutive | Maximum consecutive periods allowed. | 100% |
TEACHERS.Lunch_ID | Identifier for the user's lunch account - 6 digit code | 100% |
TEACHERS.Sched_Classroom | Assigned classroom for the user. | 15% |
TEACHERS.Sched_Department | Department associated with the user's schedule. | 16% |
TEACHERS.Sched_MaximumFree | Maximum free periods allowed. | 100% |
TEACHERS.Street | User's street address. | 70% |
TEACHERS.City | City where the user resides. | 70% |
TEACHERS.State | State where the user resides. | 70% |
TEACHERS.Zip | User's ZIP code. | 69% |
TEACHERS.Maximum_Load | Maximum workload or number of assignments for the user. | 100% |
TEACHERS.HomePage | User's default homepage in the system. | 3% |
TEACHERS.PreferredName | User's preferred name. | 2% |
TEACHERS.FedEthnicity | 0 or 1 | 100% |
TEACHERS.School_Phone | Phone number for the user's school. | 1% |
TEACHERS.Sched_Team | Team assignment for the user. | 3% |
TEACHERS.TeacherLoginPW | blank | 71% |
TEACHERS.Password | blank | 59% |
TEACHERS.Access | blank | 0% |
TEACHERS.AdminLDAPEnabled | blank | 100% |
TEACHERS.AllowLoginEnd | blank | 100% |
TEACHERS.AllowLoginStart | blank | 100% |
TEACHERS.Balance1 | blank | 100% |
TEACHERS.Balance2 | blank | 100% |
TEACHERS.Balance3 | blank | 100% |
TEACHERS.Balance4 | blank | 100% |
TEACHERS.Classpua | blank | 0% |
TEACHERS.FedRaceDecline | blank | 100% |
TEACHERS.IPAddrRestrict | blank | 0% |
TEACHERS.LastMeal | blank | 0% |
TEACHERS.NoOfCurClasses | blank | 100% |
TEACHERS.Notes | blank | 0% |
TEACHERS.NumLogins | blank | 100% |
TEACHERS.PeriodsAvail | blank | 0% |
TEACHERS.PowerGradePW | blank | 0% |
TEACHERS.PrefixCodesetID | blank | 1% |
TEACHERS.Sched_ActivityStatusCode | blank | 0% |
TEACHERS.Sched_BuildingCode | blank | 0% |
TEACHERS.Sched_Gender | blank | 0% |
TEACHERS.Sched_Homeroom | blank | 0% |
TEACHERS.Sched_HouseCode | blank | 0% |
TEACHERS.Sched_MaximumCourses | blank | 100% |
TEACHERS.Sched_MaximumDuty | blank | 100% |
TEACHERS.Sched_MaxPers | blank | 100% |
TEACHERS.Sched_MaxPreps | blank | 100% |
TEACHERS.Sched_PrimarySchoolCode | blank | 0% |
TEACHERS.Sched_TotalCourses | blank | 100% |
TEACHERS.SSN | blank | 0% |
TEACHERS.supportContact | blank | 100% |
TEACHERS.TeacherLDAPEnabled | blank | 100% |
TEACHERS.TeacherLoginIP | blank | 0% |
TEACHERS.WM_Address | blank | 0% |
TEACHERS.WM_Alias | blank | 0% |
TEACHERS.WM_CreateDate | blank | 0% |
TEACHERS.WM_CreateTime | blank | 100% |
TEACHERS.WM_Exclude | blank | 100% |
TEACHERS.WM_Password | blank | 0% |
TEACHERS.WM_Status | blank | 0% |
TEACHERS.WM_StatusDate | blank | 0% |
TEACHERS.WM_TA_Date | blank | 0% |
TEACHERS.WM_TA_Flag | blank | 0% |
TEACHERS.WM_Tier | blank | 100% |