WAKEFIELD — The extent of last month’s data breach involving the local schools is coming into better focus, and the picture is not a pretty one.
Following is a memo sent to the community Wednesday afternoon by schools Supt. Dr. Doug Lyons, Assistant Supt. Kara Mauro and Jeff Weiner, director of Information Technology.
As we previously communicated, on Tuesday, January 7 we were informed about a national/worldwide cybersecurity incident that occurred in late December involving our student information system (SIS) provider, PowerSchool. PowerSchool confirmed student and staff information from across the country and Canada had been accessed by an unauthorized user.
We engaged in a conference call with PowerSchool late afternoon on January 8 to get specific details about our data. We have confirmed the following:
• The issue was caused by compromised credentials of a PowerSchool employee that allowed access to their national customer support platform.
• The PowerSchool support platform is operated and managed by PowerSchool, not the Wakefield Public Schools
• Most of the information obtained was Directory information. Directory information includes names, addresses, phone numbers and emails.
Our Technology staff was able to audit our internal records and located the specific files that were accessed. Our own internal assessment found that, in addition to the Directory information for all students and staff previously disclosed, there were specific instances where sensitive student information was accessed that is protected by state and federal student records laws and regulations. There was no other protected staff information disclosed.
Specifically, our team identified the following instances of protected student information of current and former students having been disclosed:
• Medical Alerts: 1384 students (medical alerts contain only the portion of a student’s medical history that must be shared with staff in order to maintain the student’s safety at school such as a life-threatening food allergy).
• Guardian Alerts: 31. Custody alerts include information such as custody agreements, restraining orders, and other legal information which stipulate how our schools may communicate with families.
• Other Alerts: 708. Identifies whether or not a student is on an IEP or 504 plan, but does not discuss the details of that plan.
If your child had protected information noted above that was compromised as part of this data breach, we will notify you of the specific category of information through a separate secure email. This email will be specific to your child and provide contact information in the event you want to follow up directly with technology staff.
Please know that as a practice, we do not collect certain sensitive information such as social security numbers, financial data, or immigration status, so this information is not part of our information systems. Additionally, most of a student’s medical and Special Education information is kept separately in a secured system separate from PowerSchool. The only exception to this is when a student has a life-threatening medical concern that needs to be shared among our staff.
PowerSchool has reported that they have taken measures to curtail further breaches, and will be providing additional information in the coming weeks.
No Powerschool account password information was shared or compromised in the breach.
The news of the hack and the delay in which the security breach was reported to us by PowerSchool is extremely concerning. Our goal in this process has been to address the issue with the greatest transparency possible and share information from Powerschool as soon as it is provided to WPS.
Thank you,
Doug Lyons
Kara Mauro
Jeff Weiner