Dr. Sawyer, superintendent of Shrewsbury Public Schools, told the School Committee on Jan. 8 that the district was affected by a global cybersecurity incident at PowerSchool, the student-information vendor used by the district.

The superintendent said the data that was downloaded included demographic information — "names, addresses, phone numbers, email addresses, student ID numbers, and staff ID numbers, student birth dates" — and that PowerSchool has told customers it believes the data "has been irrevocably destroyed." He added: "This wasn't through the Shrewsbury system," and said the incident affected districts nationwide.

Why it matters: demographic and identification data can be used for fraud or targeted scams and is sensitive to families and staff; the school district said the incident did not touch account passwords, credit-card payment information, educational records, personnel files or student health records (with the caveat that demographic fields can include allergy alerts). The district said PowerSchool is working with cybersecurity firms and federal agencies to investigate and to monitor for misuse.

What the district said and what wasn’t affected
Dr. Sawyer said district staff confirmed what had been compromised locally and that PowerSchool has communicated to customers that the actor was paid and the company believes the downloaded files were destroyed. "They have assured us that they don't anticipate any of that data continuing to exist outside of our system," he said.

He listed items the district believes were not affected: passwords; credit-card information in payment systems; legal documents used during registration; photographs; "educational data in student records"; and personnel data in staff records. He also emphasized that the district will continue to communicate new information to families and staff as it becomes available.

District next steps and guidance
Dr. Sawyer said PowerSchool will offer adult customers credit monitoring and identity-protection services for affected minors in accordance with contractual and regulatory obligations. He asked families and staff to monitor accounts and to report suspicious activity to school tech staff, and warned residents to be wary of phishing attempts.

"If you see any suspicious activity, ... staff members should report that to their school-based tech team," Dr. Sawyer said. He also gave a contact route for parents who received the district's notice.

What the district did not say
The district did not provide a complete list of the number of affected records or a timeline for when families will receive vendor-provided monitoring services; Dr. Sawyer said PowerSchool is still completing its investigation and the district will share further details when available.

Context
PowerSchool is used by many districts; the superintendent framed the incident as coming through the vendor rather than through a breach of Shrewsbury’s local systems and noted prior local investments in cybersecurity and an ongoing partnership with the town to manage cyber risks.

— Reporting based on statements by Dr. Sawyer, superintendent, and the Jan. 8 School Committee meeting transcript.