The personal data of Charlottesville students and staff has been compromised after PowerSchool, a popular K-12 software provider, was hacked in late December.
The data breach that has left thousands of school divisions nationwide exposed affected both Charlottesville City Schools as well as the city-owned Charlottesville Area Technical Education Center, or CATEC.
Charlottesville Superintendent Royal Gurley told parents in an email Thursday that the Social Security numbers of eight current and former CATEC students and staff members were exposed. Most of the remaining information that was exposed was “public directory information,” he said, meaning first and last names, addresses, birthdays, email addresses, race, student identification numbers and graduation years.
“We have confirmed that no social security numbers were exported for current Charlottesville City Schools students, and we expect that this is true for current Albemarle County Public Schools students,” reads Gurley’s email. “However, for some former students who graduated in 2018 or earlier, social security numbers were part of this export.”
The school division’s IT teams verified that none of the information involved in the cyberattack included “academic, health, discipline, personnel, or financial records.”
While the school division in neighboring Albemarle County has contracted with PowerSchool, spokeswoman Helen Dunn told The Daily Progress “fortunately, ACPS was not involved in the data breach.”
All of the stolen information is now believed to have been destroyed, according to the FBI. Under the condition that all of the data be erased with no additional copies made, PowerSchool paid an undisclosed ransom to the hacker who had somehow managed to download the data stored in the PowerSchool Student Information System between Dec. 22 and 28. The hacker used a compromised PowerSchool support technician’s credentials to gain unauthorized access to the software, the company said.
“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” PowerSchool said in a statement. “We have a video confirming deletion and are actively searching the dark web to confirm.”
Gurley said city school division is working with state and federal authorities investigating the breach.
“Although this matter is PowerSchool’s responsibility, we still take this violation seriously. The data in the file gives no further access to programs or software containing sensitive private information,” he said. “Even so, we are actively working with PowerSchool, the Virginia Fusion Center, and the Virginia Department of Education to investigate, and we will follow all recommendations.
“Again, PowerSchool believes that they have stopped the data from being shared.”
Folsom, California-based PowerSchool provides school divisions with a central repository for student records, including schedules, attendance, grades, report cards and transcripts. The company has more than 18,000 customers worldwide and supports more than 50 million students in the U.S. alone.
With the ransom paid, PowerSchool said it has returned to business as usual as there is no indication of “malware or continued unauthorized activity” across its servers.
“While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations,” the company said in a statement.
Source: www.dailyprogress.com