After listening to her phone blow up with texts and messages around 2:00 p.m., Wayland Public School’s Director of Technology Jenn Judkins opened her inbox to receive a shocking email on Jan. 7. The nation’s largest student information system provider, PowerSchool, had been breached, compromising student information such as addresses, grades, social security numbers and medical details. PowerSchool was hacked by an unknown threat actor who held the data for ransom and threatened to release sensitive student and teacher information. Wayland’s data was not included in the breach.
PowerSchool is a prominent educational software system used by schools across the globe, including Wayland High School. WHS uses ESchoolPlus, a company owned by PowerSchool. On Dec. 28, 2024, PowerSchool was notified by the threat actor personally. According to Wellesley’s superintendent, David Lussier, the threat actor informed Powerschool that they had breached their cybersecurity system and threatened to release all the information they were able to download if they didn’t receive a certain amount of money.
The specific product of PowerSchool that was affected in the breach was the Student Information System (SIS), an information center designed to provide information to administrators. The SIS is a resource for teachers to access information about their students in an organized manner.
“Student Information Systems are essentially the source of truth,” Judkins said. “It is the most important piece of software that we use in our school district to track everything about kids and almost everything about our staff.”
PowerSchool confirmed that sensitive details included within the SIS, such as student’s and administrator’s addresses, grades, social security numbers, and medical information, were leaked in the breach. In some districts that PowerSchool provides for this stirred unease in students and teachers.
“I was very shocked and worried that it would happen to Wayland,” sophomore Devin Tandon said.
The exact numbers of affected schools has not been confirmed but, according to Judkins, Wayland was not among the impacted schools. A period of transition that may have been a source of frustration in other circumstances ended up allowing Wayland to dodge a bullet and not become one of the targeted schools.
Wayland is currently planning to switch its student information database provider from ESchoolPlus into PowerSchool’s SIS. While this platform has been bought, it is not prepared to be launched until fall. This means that no student or faculty information was stored in the SIS during the time of the breach.
“I have complete confidence that none of our data was impacted as a result of [not transferring data into the SIS],” Judkins said. “There was no data in that system, it’s literally an empty shell at this point.”
This was not the case for surrounding schools. Critical information in neighboring towns such as Wellesley and Needham were included in the leak.
“Once we realized what had occurred, [the SIS leak] had affected us,” Lussier said. “It was extremely concerning. The first thing we wanted to do was figure out exactly which data was compromised because being transparent about what we know and the steps that are being taken is the most important thing to do.”
Honest communication plays a pivotal role in giving worried communities the facts they need. In order to reconcile with its clients, PowerSchool hosted an informational meeting on Jan. 8. Technology directors from towns that use Powerschool met to hear details about the nature of the breach and what the next steps were to keep information protected. Judkins was one of the attendees at this meeting.
“I was super impressed because so much of cyber security is about translating from the technical side of the house to the people who are impacted and may not necessarily understand some of the specific terms or complexities around technology management and infrastructure,” Judkins said. “It was super appropriate that PowerSchool started their communications with the technical staff in districts so that they could start to control messaging.”
While the breach was a concerning event, the transparency PowerSchool exhibited in this meeting reinstated Judkins confidence in the plan to transfer Wayland’s information into the SIS this fall.
“[The breach] does not make me second guess [PowerSchool’s] vision at all,” Judkin said. “The real take home about this incident was [that] it was a perfect example of response. The [approach to this situation] was affirming for me, and I’m feeling good about the decision for this community moving forward with PowerSchool.”
On top of reassuring their customers, the meeting provided technology directors with the information they needed to properly assess the situation and determine what emergency protocol measures they should take. As technology continues to become more and more intertwined in society, technological directors being prepared with emergency response plans is crucial when combating threat actors. The frequency of cybersecurity attacks has been on a notably steady incline in the past few decades. A recent statistic from the website, Cobalt, showed that in 2023, the global average cost of cybersecurity attacks increased by 15% from 2020. As time goes on, hackers have become more and more efficient with their methods, which is apparent when looking into the strategy of this particular attacker.
The timing of this leak occurring so close to Christmas was anything but accidental. It’s a strategy of threat-actors to hack sensitive systems during times of leniency or distraction, like a holiday or a break. By invading the SIS when there was a low chance of having moderators actively watching, the perpetrators were able to steal this information without being noticed.
“Opportunity is always a part of a threat actor’s plan,” Judkins said. “They’re not going to go poking around in your system when they know you might be watching.”
Our growing reliance on technology can benefit efficiency when it comes to education but can also strengthen the abilities of hackers, putting school systems at higher risk of data breaches like this. The relationship between cybersecurity systems and hackers resembles that of coevolution, prompting the collaboration between administrators and tech directors to continue to strengthen cyber defense mechanisms.
“There’s no going back,” Lussier said. “We all use software in this digital age, and we’re gonna have to figure out how to continue to evolve to make sure things are as secure and compartmentalized as possible.”
The chance that hackers will quit as more and more data gets stored electronically is incredibly low, which accentuates how crucial it is to remain vigilant and work constantly to develop and re-imagine cybersecurity.
“There’s no question that these threat actors and those who seek to hack into systems continue to become more sophisticated in their technique, so we have to be equally sophisticated in what our response is,” Luisser said.
Methods of strengthening the school system’s cyber security is evident in both Wellesley and Wayland. Both towns require multi-factor authentication to login into PowerSchool, meaning that staff and students have to put in two sources of information before logging in and are logged out after a certain amount of time passes. These methods may seem strenuous to some but with a rapidly increasing reliance on technology, they are crucial to preventing events like this breach in the future.
“At the end of the day, security is not convenient, but it’s our responsibility to ensure it,” Judkins said. “It’s a call to action for everybody because cyber security is not going away.”