A nationwide data breach of a cloud-based software provider has hit at least four Long Island school districts, including one where personal information of staff was potentially exposed, officials said.
The Massapequa, Smithtown Central and Uniondale school districts, as well as Nassau BOCES, were swept up in the breach of California-based PowerSchool, according to officials with the districts.
PowerSchool is a cloud-based software company that provides student information services to more than 16,000 customers and more than 50 million students worldwide, according to its website. On Dec. 28, the company notified its clients of a "cybersecurity incident," said Matthew C. Ritter, the Uniondale school district's assistant superintendent of data, planning, assessment and accountability, in a statement Friday.
"Unauthorized access was gained to certain systems, potentially exposing the personal information of staff members with PowerSchool accounts," Ritter said. "The compromised data may have included staff names, phone numbers, addresses, and Social Security numbers."
PowerSchool, in a statement to Newsday on Sunday, said: "PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers. We have no evidence that other PowerSchool products were affected as a result of this incident."
The hacker had gained access to the PowerSchools Student Information System, also known as SIS, using a "compromised credential," the company wrote previously in a letter to affected school districts across the country.
"We can confirm that the information accessed belongs to certain [Student Information System] customers and relates to families and educators, including those from your organization," the letter read. "The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident."
Larry Leaven and James Widmer, Nassau BOCE's district superintendent and deputy superintendent, respectively, said in a joint statement that PowerSchool had informed the district the "vulnerability has been fully remediated."
"Our team is working closely with PowerSchool to fully understand the extent of the breach and to ensure that our data remains secure," the statement said. "We will continue to monitor the situation and provide updates as needed."
A representative for the Massapequa district said in a statement that it had been told by PowerSchool the breach had affected a "significant number of schools." A representative for the Smithtown Central district said in a statement that PowerSchool is "working with the FBI and cybersecurity experts."
"Out of an abundance of caution, password resets will be initiated as a precautionary measure," the Massapequa statement continued.
PowerSchool said in its letter that it "did not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination."