January 10, 2025
Dear AB Families and Staff:
As we previously communicated, on Tuesday, January 7 we were informed about a national/worldwide cybersecurity incident that occurred in late December involving our student information system (SIS) provider, PowerSchool. PowerSchool confirmed student and staff information from across the country and Canada had been accessed by an unauthorized user.
We engaged in a conference call with PowerSchool late afternoon on January 8 to get specific details about our data. We have confirmed the following:
-
The issue was caused by compromised credentials of a PowerSchool employee that allowed access to their national customer support platform.
-
The PowerSchool support platform is operated and managed by PowerSchool, not the Acton-Boxborough Regional School District.
-
Most of the information obtained was Directory information. Directory information includes names, addresses, and emails that are not protected by state and federal student records laws and regulations.
Our Technology staff was able to audit our internal records and located the specific files that were accessed. Our own internal assessment found that, in addition to the Directory information for all students and staff previously disclosed, there were specific instances where sensitive student information was accessed that is protected by state and federal student records laws and regulations. There was no protected staff information disclosed.
Specifically, our team identified the following instances of protected student information of current and former students having been disclosed:
-
Social Security numbers: 12 former students.
-
Medical Alerts*: 510 current students (medical alerts contain only the portion of a student's medical history that must be shared with staff in order to maintain the student’s safety at school such as a life-threatening food allergy).
-
Custody and Court-related Alerts: 105 current students. Custody alerts include information such as custody agreements, restraining orders, and other legal information which stipulate how our schools may communicate with families.
If your child had protected information noted above that was compromised as part of this data breach, we will notify you of the specific category of information through a separate email. This email will be specific to your child and provide contact information in the event you want to follow up directly with school staff.
Please know that as a practice we do not collect certain sensitive information such as social security numbers or immigration status, so this information is not part of our information systems. Additionally, most of a student’s medical information is kept separately in a secured system outside of PowerSchool. The only exception to this is when a student has a life-threatening medical concern that needs to be shared among our staff.
PowerSchool has reported that they have taken measures to curtail further breaches.
What action do you need to take: All staff and families should reset their passwords for added account security. User passwords were not part of the data compromised in the breach; however, out of an abundance of caution, we are requesting that all staff and families reset their passwords for their PowerSchool accounts. To reset your password, log in to the portal, select account preferences, and edit your password (see below).
This news and the delay in which the security breach was reported to us are extremely concerning. Our goal in this process has been to address the issue with the greatest transparency possible.
Sincerely,
Peter Light
Superintendent of Schools