Stoughton — At the Jan. 14 meeting, Superintendent Doctor Raeta told the Stoughton School Committee the district has been monitoring a cybersecurity incident involving PowerSchool and that the company’s inconsistent early notifications complicated the district’s response.

Raeta said PowerSchool first told the district it was not part of the incident and then the next day notified them that it was. She said the district has identified two current employees and about 17 or 18 former employees whose Social Security numbers may have been included in the PowerSchool incident, and the district has begun contacting affected people.

The district has been participating in the information-sharing meetings that PowerSchool and state cyber authorities have convened, Raeta said, and she named the district’s technology lead as the internal point of contact: “Anthony Fippenin, our, our, our, administrator for, technology is is is the lead person for us on this.”

The committee asked whether PowerSchool has committed to contact credit bureaus on behalf of affected families. Raeta said district leaders are pressing the vendor to take the lead on communications to the public and that the attorney general’s office and other state cyber offices are “asking questions.” She added that there has been discussion about a possible breach-of-contract claim against PowerSchool because of delayed notification to districts.

Raeta also clarified the district has not knowingly had student social-security numbers stored in PowerSchool for a number of years, but older staff records did contain Social Security numbers in the district’s legacy system and those records were among the items being investigated. "It was not a Stoughton Public Schools breach," she said, and added staff will be informed of next steps and options for monitoring credit and identity if they are impacted.

District technology staff described technical and procedural responses the district has started: rolling password changes, strengthening multi-factor authentication for administrative accounts and working with PowerSchool on information. Raeta said the district has been moving administrators and faculty toward two-factor authentication and other protections before the incident, and that additional changes will be communicated to staff and families in the coming days.

Ending: The superintendent said the district would continue to update staff and families as information arrives and that the district’s tech administrator is coordinating the response with PowerSchool and state officials.