Canton Public Schools alerted families Jan. 7 that PowerSchool, the student information system used by the district and about 18,000 other customers worldwide, experienced a cybersecurity breach that exposed student and staff directory and demographic records.

District officials presented a timeline at the Jan. 9 School Committee meeting and said they continue to gather information from PowerSchool and security partners. ‘‘Regrettably, PowerSchool failed to live up to our expectations with data security,’’ said Mr. Fogle, who presented the district’s account of events and led coordination with town IT and law enforcement.

The district said PowerSchool identified a compromised “superuser” account on Dec. 19 that gave a threat actor access to support tools that reach many districts’ SIS servers. PowerSchool reported the threat actor executed a script on Dec. 22 that extracted student and staff tables worldwide in just over two minutes. PowerSchool notified customers Jan. 7 and said it had engaged investigators and contracted CrowdStrike to monitor for any reappearance of data.

Superintendent Folan told the committee the district sent two letters to families and posted materials on its website; the district also published a Google form to collect questions and said it will post a live FAQ. ‘‘The district is extremely sorry this happened and is trying to be as timely and transparent as possible,’’ Folan said.

District officials said the extract targeted directory and demographic fields, and that Canton Public Schools does not store Social Security numbers in its instance; PowerSchool’s initial reports show Social Security columns existed in the extracted tables but the district said those fields were not populated for Canton. Officials said other sensitive categories — account access credentials, financial information, enrollment evaluation records and other student education-privacy fields — were not part of the extract as described by PowerSchool.

Committee members asked whether PowerSchool will offer credit monitoring and about notification timelines. Mr. Fogle said PowerSchool has indicated it will identify individuals who meet a threshold for credit‑monitoring offers and notify districts, but district staff had not yet received a list of affected individuals. Committee members and the district’s representative on the regional tech collaborative said the collaborative’s legal team is also reviewing the timeline and contract language for customer notification.

District staff described internal protections for Canton’s own network, including 24/7 endpoint and network monitoring, firewalls and vendor-supplied managed detection. ‘‘This was a breach of PowerSchool’s cloud platform, not of the district network,’’ Fogle said, adding that district staff made the Social Security field uneditable in the local SIS as an extra precaution.

The district said PowerSchool contracted an investigator (Cyber Strike) and a negotiator (Cyber Steward) to engage with the threat actor; PowerSchool has said it expects a full Cyber Strike report to be released and has announced additional security measures. Canton officials said they will continue to attend PowerSchool briefings and share updates with families as new information becomes available.

The committee encouraged continued outreach and pledged to post answers to frequently asked questions on the district website.