What happened:
A compromised credential was used by a threat actor in late December to gain access to one of PowerSchool's internal support tools, according to information provided by PowerSchool. The threat actor then used an internal maintenance tool, on December 22nd, to gain unauthorized access to student and staff data located in two data tables of our PowerSchool Student Information System (SIS).
PowerSchool was made aware of the incident on December 28th and began an immediate investigation with both internal resources and third-party cybersecurity experts. Law enforcement was also informed. According to PowerSchool, the incident is now contained, and there is no evidence of further unauthorized activity. Crowdstrike, a cybersecurity company that provides threat intelligence and cyber attack response services, is performing an investigation, with a full incident report is expected in the coming days.
CyberSteward, a firm that negotiates with threat actors, was also engaged by PowerSchool. While the specifics of the negotiation are unknown, PowerSchool has stated that in exchange for payment they have received reasonable assurances from the threat actor that the data was deleted, including video showing the electronic destruction of the stolen data, and that no additional copies exist. PowerSchool's senior leadership has stated that they are confident the data will not be made public.
On January 7th, PowerSchool informed districts of the incident in email. Sandwich Public Schools began an internal investigation immediately and confirmed that unauthorized access to our district's data occurred on December 22nd. Families and staff were informed on January 8th.