Bedford Area School District Community,
We learned that PowerSchool, a provider of cloud-based software, providing services to over 60 million students and over 18 thousand educational organizations, experienced a data security incident (“PowerSchool Incident” or “Incident”). Bedford Area School District is a customer of PowerSchool, utilizing the program for Student Information System services, and was notified that our current and former students, staff, and parents and guardians of current and former students may have been affected by the PowerSchool Incident.
On December 28, 2024, PowerSchool became aware of unauthorized access to one of its “customer support portals,” PowerSource. PowerSchool’s investigation determined that sensitive data was exfiltrated from their PowerSchool Student Information System (SIS). The information was accessed from tables containing information of educators and students. The sensitive data may have involved the following information:
Of current and former students: Names, addresses, phone numbers, passwords (encrypted), notes, alerts, bus route numbers, student IDs, parent information and medical information;
Of current and former educators: Names, addresses, phone numbers, and passwords (encrypted); and
Of parents and guardians of current and former students: Contact information.
To be clear, BASD does not enter or store staff or student Social Security Numbers in PowerSchool.
Additionally, according to PowerSchool, it made a ransom payment to a threat actor (TA) to mitigate the risk of further unauthorized disclosure of the stolen information. Also, PowerSchool stated that it will provide identity protection services to “affected minors.”
On January 15, 2025, the Bedford Area School District received a notice from PowerSchool that we were involved in the data security incident. Upon receiving notification, the District immediately contacted our solicitor and our cyber insurance carrier. Our cyber insurance carrier designated Constangy, Brooks, Smith & Prophete, LLP to assist the District with handling the data security incident. On January 21, 2025, the BASD Board of Directors approved the engagement of services with the designated legal counsel.
The District is working closely with the designated legal counsel to ensure we are communicating with our staff and community appropriately regarding the data security incident. After consulting with our legal counsel, the District elected to create a specific letter to BASD parents, guardians, students, and staff rather than using a generalized form letter from PowerSchool to avoid confusion since each district uploads different data in the PowerSchool system. For example, the Bedford Area School District does not upload Social Security Numbers in PowerSchool. If you have any questions regarding this letter and/or generalized information from PowerSchool, please contact Mr. John Diehl, Chief Information Officer, at diehlj@bedfordasd.org or by phone at (814) 623-4208.
The District takes cyber security and protecting personally identifiable information very seriously and will act to the fullest measure to ensure that incidents of this nature are prevented in the future. Please know that the District will continue to evaluate its own cyber security measures and its contracted third-party services.
Our designated legal counsel created a document to assist our District with questions pertaining to this data security incident. You can view this document and the FAQ at https://www.bedfordasd.org/o/basd/page/powerschool-data-security-incident
Once again, if you have any questions please contact Mr. John Diehl, Chief Information Officer, at diehlj@bedfordasd.org or by phone at (814) 623-4208.