Massapequa Union Free School District technology staff told the Board of Education on Jan. 9 that a compromised PowerSchool support account allowed external access to student and staff data and that the district is pressing state and vendor partners for additional protections.

The district's presentation, led by Brian Piotrowski and delivered with Yvonne Knott (director of information management and the district's data protection officer), said the district was notified by PowerSchool on Jan. 7 that credentials for PowerSchool's customer support portal (PowerSource) had been found on the dark web and were used to export data from multiple districts. Piotrowski said the incident appears to be part of a global event that has affected many districts and “we take student and staff data very seriously. We protect that data at all costs,” and called PowerSchool's shortfalls “completely unacceptable.”

Why it matters: the exports the district can detect include records dating back to July 1, 2009, and contain directory and identifying fields that could expose people to identity theft or privacy intrusion. PowerSchool has said it will offer identity‑protection services for two years to affected people and credit monitoring for those 18 and older; the district said it is working with PowerSchool to clarify scope and communication methods.

Timeline and scope described to the board
Piotrowski said the external actor used a compromised support‑portal credential to access export tools; logs reviewed by the district show an export of MSD (Massapequa School District) student and staff tables. The staff table export included directory items (first name, last name, address, phone number, district email address and ethnicity). The student table export included first and last name, address, phone, school email address, date of birth, gender and ethnicity, plus parent/guardian contact information and any student alerts entered in PowerSchool (for example, allergy flags). The district said it does not store Social Security numbers in any online systems.

Response and follow-up
The district said it followed its incident response and New York State requirements, engaged its cyber insurance carrier and external counsel, and coordinated with BOCES and the New York State Education Department. PowerSchool told districts it engaged third‑party responders and law enforcement, deactivated the compromised credential and restricted access to the affected portal. The district said PowerSchool has begun scanning the dark web for exposed data and that PowerSchool told the district it does not expect financial harm from misuse of the specific exported fields, although the district said it will continue to press for detail and broader safeguards.

Services and notifications
PowerSchool has stated it will offer identity‑protection services for two years to eligible staff and students and credit monitoring for anyone 18 and older; the district said it is awaiting details on enrollment, scope and how PowerSchool will reach former students and staff whose contact information in the export may be out of date. The district plans to publish information on its website and to notify current staff and families directly once PowerSchool provides standardized outreach materials.

Policy and contract changes the district will pursue
District staff reviewed applicable state rules, noting Education Law 2‑d and related Part 121 regulations that govern third‑party contractors who host student data. The presentation said district contracts require vendors to submit data privacy plans, restrict employee access, use encryption in transit and at rest, and notify the district of breaches. Board members and staff agreed the district will press BOCES, the State Education Department and vendors to tighten contract requirements and seek statewide changes to require stronger vendor safeguards, including multifactor authentication and other technical controls.

What the board heard from the public
A member of the public who identified himself as a former Massapequa Federation of Teachers executive called out district transparency and praised the technology staff's responsiveness. The district reiterated it will continue to provide updates to the school community when more vendor information is available.

Next steps
District leaders said they will: (1) continue coordination with PowerSchool, BOCES and New York State; (2) post guidance and outreach information on the Massapequa website; (3) provide formal notifications to current staff and students and explore options for informing former students and staff; and (4) seek contract and state‑level changes to increase third‑party security requirements.