Skip to main content

The Public Schools of Northborough and Southborough

Ten Schools, Three Districts, One Community of Learners

PowerSchool Data Breach Information

Messages from the Superintendent

  • The following message was sent to families on Friday, January 17, 2025:

    Dear Parent(s) and Guardians(s),

    This afternoon, the District learned more information from PowerSchool regarding what monitoring services it will provide families, due to the data breach. In the next week or two, families can expect the following:

    • Identity Protection and Credit Monitoring Services: PowerSchool has engaged Experian, a trusted credit reporting agency, to offer two years of complimentary identity protection services for all students and educators whose information from our PowerSchool SIS was breached. This offer will include two years of complimentary credit monitoring services for all adult students and educators whose information was involved.
    • Notification to Individuals Involved: Starting in the next few weeks, in collaboration with Experian, PowerSchool will provide notice to students (or their parent(s)/guardian(s) if the student is under 18) and educators whose information was breached, as well as a phone number to answer any questions you may have about the incident. The notice will include the identity protection and credit monitoring services offered.

    In the meantime, I encourage families to visit the NSboro PowerSchool Data Breach site and PowerSchool’s FAQ site for up-to-date information on the incident. If you have any additional questions, please reach out by emailing help@nsboro.k12.ma.us.

    Respectfully,

    Gregory L. Martineau
    Superintendent of Schools

    Jon Parent
    Director of Information Technology

    Cathy Carmignani
    Director of Instructional Technology

  • The following message was sent to families on Wednesday, January 8, 2025 via ParentSquare.

    Dear Parent(s) and Guardian(s),

    On January 7, 2025, The Public Schools of Northborough and Southborough’s (NSboro) student information system vendor, PowerSchool (the largest provider of cloud-based education software for K-12 education in the U.S), notified us that a widespread internal PowerSchool data breach affecting districts nationwide had occurred. Unfortunately, this resulted in NSboro’s student and staff personally identifiable information being accessed by an unauthorized third party. 

    Protecting the privacy and security of student, family, and staff data is a top priority for our District. As soon as we were made aware of the situation, we initiated our own internal investigation to confirm PowerSchool’s findings. PowerSchool told its clients: “The incident is contained, and we do not anticipate the data being shared or made public.” We will continue working with PowerSchool to understand what data was exported and how they will provide support to those affected.

    We are committed to ensuring transparency and providing information about how this is being addressed. Once we have more information from PowerSchool, we will send out additional communications. In the meantime, please reach out with any immediate concerns to help@nsboro.k12.ma.us

    Respectfully,

    Gregory L. Martineau
    Superintendent of Schools

    Jonathan Parent
    Director of Information Technology 

PowerSchool's Timeline and Steps

  • On January 7, 2025, the Public Schools of Northborough and Southborough (NSBoro) were notified by PowerSchool, the largest provider of cloud-based education software for K-12 education in the U.S., about a widespread internal data breach. This breach affected school districts nationwide, including NSBoro. Unfortunately, the breach resulted in the disclosure of NSBoro staff’s personally identifiable information (PII) to an unauthorized third party.

    PowerSchool stated that a support contractor’s login account was compromised which allowed authorized access into many of their clients’ data systems.

  • Unauthorized access to our district’s data occurred on December 22, 2024, at 6:11 a.m. and again at 9:11 p.m..

  • PowerSchool became aware of the breach on December 28, 2024, when the attackers contacted them with an extortion demand in exchange for destroying the stolen data.

  • PowerSchool notified the District of the breach on January 7, 2025, at approximately 2:00 p.m., via email.

  • PowerSchool confirmed that they paid the attackers an undisclosed amount in exchange for a video showing the electronic destruction of the stolen data.

  • Yes, the district uses several PowerSchool products, including Records, TalentEd, and SchoolSpring. However, PowerSchool has stated that only the PowerSchool SIS (Student Information System) was affected by this data breach.

     

  • PowerSchool has created a site of their own for Frequently Asked Questions.

FAQ

  • Please refer to the table below for detailed information on the data fields included in the breach. Two tables from within PowerSchool SIS were exported: “Students_export.csv” and “Teachers_export.csv”. From reviewing available log data, we were able to reconstruct the fields exported by the unauthorized user. We have also included summary statistics regarding the percentage of those fields containing actual data.

  • No medical records were compromised, as they are stored in a separate system. However, some medical alerts and physician information related to students were disclosed.

  • No custody records were compromised, as they are stored in a separate system. However, some medical alerts and physician information related to students were disclosed.

    General custody information was not compromised. However, guardian alerts were disclosed. This contains a brief note if there was a need for a child to have a custody alert in our system due to a court order. If you have concerns, please contact us at help@nsboro.k12.ma.us.

    • Current students and staff: Social Security numbers are not actively stored in PowerSchool SIS, so no Social Security numbers were disclosed.  
    • Former students: We are investigating one incident involving a former student’s Social Security number. That individual is being contacted directly.
  • PowerSchool has assured the district that no passwords were compromised and no data was tampered with. Based on this information, we are continuing to use PowerSchool SIS. There are no restrictions on the use of the software by either students or staff at this time.

  • PowerSchool has engaged with CrowdStrike, a leading cybersecurity organization, to conduct a forensic analysis of event logs during the unauthorized access period. They will provide updates if new information becomes available. However, PowerSchool does not feel any backdoor access was created.

  • We are currently reviewing all of our digital systems to ensure they are as secure as possible, including account audits, configuring multi-factor authentication, and implementing automated account management between key data systems, where possible.

  • We are currently awaiting additional information regarding this possibility.

    • This page contains a list of digital resources that have been vetted for use and student data privacy protections.   Many websites, including free online educational tools, gather personal data and/or are not intended for use by children under 13 without written parental consent.  Our school District partners with The Education Collaborative to help manage issues related to student data privacy. This partnership helps us, and other school systems in Massachusetts obtain Student Data Privacy Agreements with educational platforms. These agreements are legally enforceable agreements between vendors and the school districts that give schools and districts ownership & control of student data as well as define how a vendor may and may not use a child’s personal data.   Some platforms and vendors refuse to sign the agreement. Student safety is a priority of our District, and until the requested vendor allows NSBoro Schools the ownership of the personal information collected, children may continue to be blocked from accessing the website. 
  • Student Data Table

     

    PowerSchool Data Field Name Field Description Percentage of breached records containing data in this field
    STUDENTS.ID Unique identifier for a student in the system. 100.00%
    STUDENTS.dcid random number 100.00%
    STUDENTS.Enroll_Status data is a 0, 1, 2, 3 or 4 100.00%
    STUDENTS.Enrollment_SchoolID DESE code for the school 99.99%
    STUDENTS.DOB The student’s date of birth. 99.97%
    STUDENTS.EnrollmentID Number associated to student’s enrollment record. 99.94%
    STUDENTS.EntryDate Date the student entered the school or district. 99.94%
    STUDENTS.Exclude_fr_rank Data is set to false 99.94%
    STUDENTS.ExitDate The date the student exited the school or district. 99.93%
    STUDENTS.Father_StudentCont_guid Unique ID - random string of numbers 99.93%
    STUDENTS.First_Name The student’s first name. 99.93%
    STUDENTS.Guardian_StudentCont_guid Unique ID - random string of numbers 99.93%
    STUDENTS.Last_Name The student’s last name. 99.93%
    STUDENTS.LastFirst The student’s full name in "Last Name, First Name" format. 99.93%
    STUDENTS.Log date stamp 99.93%
    STUDENTS.LunchStatus Data taken was either a 0 or 1. 99.93%
    STUDENTS.MembershipShare data is "1" 99.93%
    STUDENTS.Mother_StudentCont_guid Unique ID - random string of numbers 99.93%
    STUDENTS.Person_ID Unique ID - random string of numbers 99.93%
    STUDENTS.Sched_LoadLock Data taken was either true or false 99.93%
    STUDENTS.Sched_LockStudentSchedule Data taken was either true or false 99.93%
    STUDENTS.Sched_Scheduled Data taken was either true or false 99.93%
    STUDENTS.SchoolID DESE school identifier number 99.93%
    STUDENTS.State The state where the student resides. 99.93%
    STUDENTS.State_EnrollFlag Data is either true or false. 99.93%
    STUDENTS.State_ExcludeFromReporting Data is either true or false. 99.93%
    STUDENTS.Student_Number The unique student number within the district. 99.93%
    STUDENTS.StudentPers_guid Unique identifier for the student’s personal record, long string. 99.93%
    STUDENTS.StudentPict_guid Unique identifier for the student’s picture record. Note: students' photos were NOT included in the data breach. 99.93%
    STUDENTS.StudentSchlEnrl_guid Unique identifier for the student’s school enrollment record. 99.93%
    STUDENTS.TRANSACTION_DATE Date stamp 99.93%
    STUDENTS.City The city of the student’s residence. 99.92%
    STUDENTS.Gender The student’s gender. 99.92%
    STUDENTS.Street The street address of the student’s residence. 99.86%
    STUDENTS.Zip The zip code of the student’s residence or mailing address. 99.83%
    STUDENTS.FTEID Data are numbers such as 0, 1, 2, 4, 5, etc. 99.72%
    STUDENTS.WHOMODIFIEDTYPE A, N or X 99.68%
    STUDENTS.ClassOf The graduation year for the student. 99.52%
    STUDENTS.State_StudentNumber The unique state-level identifier for the student. 98.69%
    STUDENTS.Home_Phone The student’s home phone number. 97.42%
    STUDENTS.Sched_NextYearGrade The grade level for the student in the next school year. 96.00%
    STUDENTS.Sched_YearOfGraduation The student’s expected year of graduation. 94.47%
    STUDENTS.Grade_Level The current grade level of the student. 94.35%
    STUDENTS.PhotoFlag 0 or 1 93.34%
    STUDENTS.Student_Web_ID PowerSchool username 90.59%
    STUDENTS.EntryCode 1, 2, or 3 89.93%
    STUDENTS.TransferComment Comments regarding the student’s transfer - lists the school they are coming from or going to 89.68%
    STUDENTS.Mailing_City The city listed on the student’s mailing address. 84.73%
    STUDENTS.Mailing_Street The street address for the student’s mailing address. 84.73%
    STUDENTS.Mailing_Zip The zip code for the student’s mailing address. 84.73%
    STUDENTS.Mailing_State The state listed on the student’s mailing address. 84.71%
    STUDENTS.Web_ID 6 digit random number 83.88%
    STUDENTS.Student_AllowWebAccess 0 or 1 80.69%
    STUDENTS.AllowWebAccess 0 or 1 79.49%
    STUDENTS.Mother The name of the student’s mother. 76.57%
    STUDENTS.Middle_Name The student’s middle name. 74.41%
    STUDENTS.Doctor_Name The name of the student's primary doctor. 73.33%
    STUDENTS.Doctor_Phone The phone number for the student’s doctor. 73.33%
    STUDENTS.Father The name of the student’s father. 73.30%
    STUDENTS.Ethnicity The student’s ethnicity as self-reported or recorded. 69.51%
    STUDENTS.DistrictEntryDate The date the student first entered the district. 66.80%
    STUDENTS.SchoolEntryDate The date the student first entered the current school. 63.33%
    STUDENTS.Bus_Route data ranges from the student's first name to bus numbers 60.66%
    STUDENTS.Bus_Stop most data has the student's last name 60.63%
    STUDENTS.Lunch_ID 4 digits 59.35%
    STUDENTS.Next_School The next school the student is expected to attend. 58.74%
    STUDENTS.LDAPEnabled 0 or 1 51.60%
    STUDENTS.Home_Room For some students, this lists their homeroom as a classroom number. 50.17%
    STUDENTS.ExitCode Number from 1 to 16 39.89%
    STUDENTS.ExitComment specifies the school the student is now attending 39.17%
    STUDENTS.Locker_Combination The combination for the student’s locker. 37.30%
    STUDENTS.Locker_Number The number of the locker assigned to the student. 37.30%
    STUDENTS.IP_ADDRESS last IP address that PS was used from by the student 27.46%
    STUDENTS.Emerg_Contact_1 The first emergency contact for the student. 23.92%
    STUDENTS.Emerg_Phone_1 Phone number of the first emergency contact. 23.92%
    STUDENTS.WHOMODIFIEDID number from 0-7000 23.62%
    STUDENTS.Graduated_SchoolID DESE school code 23.44%
    STUDENTS.Graduated_SchoolName Name of the school from which the student graduated. 23.41%
    STUDENTS.Sched_Priority 0, 1, 2, 3,or 4 22.36%
    STUDENTS.DistrictOfResidence The district where the student resides. 19.73%
    STUDENTS.Geocode Geographical code for the student’s residence. 17.94%
    STUDENTS.Mailing_Geocode Geographical code for the student’s mailing address. 17.77%
    STUDENTS.DistrictEntryGradeLevel The grade level of the student upon entry into the district. 17.65%
    STUDENTS.SchoolEntryGradeLevel The grade level of the student when entering the current school. 17.60%
    STUDENTS.Alert_Medical Used for medical alerts for life-threatening allergies, etc.  17.39%
    STUDENTS.Track Letter A-F, used during COVID 17.11%
    STUDENTS.GradReqSetID 0 or 1 13.61%
    STUDENTS.FedEthnicity Federal designation of the student’s ethnicity - listed as a number 10.53%
    STUDENTS.Emerg_Contact_2 The second emergency contact for the student. 9.33%
    STUDENTS.Emerg_Phone_2 Phone number of the second emergency contact. 9.33%
    STUDENTS.Team use for middle school team designation (7-1, 7-2) 8.60%
    STUDENTS.Sched_NextYearHomeRoom The homeroom assigned to the student for the next school year. 6.94%
    STUDENTS.Alert_Other note field  2.77%
    STUDENTS.GuardianEmail Email address of the student’s guardian. 2.53%
    STUDENTS.Building The building where the student is enrolled. 2.16%
    STUDENTS.Alert_OtherExpires The date when the other alert expires. 0.81%
    STUDENTS.Alert_Guardian notes field - used for court order information 0.39%
    STUDENTS.SummerSchoolNote lists the summer school attended 0.35%
    STUDENTS.Applic_Response_Recvd_Date date 0.24%
    STUDENTS.GradReqSet 1 or 8 0.11%
    STUDENTS.Applic_Submitted_Date The date when the student's application was submitted. 0.10%
    STUDENTS.Alert_GuardianExpires The date when the guardian alert expires. 0.06%
    STUDENTS.Enrollment_Transfer_Info Details about the student’s transfer - only found on 4 records 0.06%
    STUDENTS.Alert_MedicalExpires The date when the medical alert expires. 0.04%
    STUDENTS.TuitionPayer 0 or 1 0.04%
    STUDENTS.EnrollmentCode -1, 1 or 2 0.03%
    STUDENTS.Sched_NextYearBuilding The building where the student is expected to be enrolled next year. 0.03%
    STUDENTS.Alert_Discipline Indicates if the student has any disciplinary alerts. 0.01%
    STUDENTS.Family_Ident number 0.01%
    STUDENTS.SSN The student’s Social Security Number (only 1 student -will notify individually) 0.01%
    STUDENTS.Alert_DisciplineExpires The date when the disciplinary alert expires. 0.00%
    STUDENTS.Balance1 blank 0.00%
    STUDENTS.Balance2 blank 0.00%
    STUDENTS.Balance3 blank 0.00%
    STUDENTS.Balance4 blank 0.00%
    STUDENTS.CampusID blank 0.00%
    STUDENTS.Cumulative_GPA blank 0.00%
    STUDENTS.Cumulative_Pct blank 0.00%
    STUDENTS.CustomRank_GPA blank 0.00%
    STUDENTS.Enrollment_Transfer_Date_Pend blank 0.00%
    STUDENTS.EnrollmentType blank 0.00%
    STUDENTS.FedRaceDecline blank 0.00%
    STUDENTS.Fee_Exemption_Status blank 0.00%
    STUDENTS.FullTimeEquiv_obsolete blank 0.00%
    STUDENTS.GPEntryYear blank 0.00%
    STUDENTS.Graduated_Rank blank 0.00%
    STUDENTS.GuardianFax blank 0.00%
    STUDENTS.House blank 0.00%
    STUDENTS.LastMeal blank 0.00%
    STUDENTS.Phone_ID blank 0.00%
    STUDENTS.PL_Language blank 0.00%
    STUDENTS.Sched_NextYearBus blank 0.00%
    STUDENTS.Sched_NextYearHouse blank 0.00%
    STUDENTS.Sched_NextYearTeam blank 0.00%
    STUDENTS.SDataRN blank 0.00%
    STUDENTS.Simple_GPA blank 0.00%
    STUDENTS.Simple_PCT blank  0.00%
    STUDENTS.Student_Web_Password blank 0.00%
    STUDENTS.SummerSchoolID blank 0.00%
    STUDENTS.TeacherGroupID blank 0.00%
    STUDENTS.Web_Password blank 0.00%
    STUDENTS.Withdrawal_Reason_Code blank 0.00%
    STUDENTS.WM_Address blank 0.00%
    STUDENTS.WM_CreateDate blank 0.00%
    STUDENTS.WM_CreateTime blank 0.00%
    STUDENTS.WM_Password blank 0.00%
    STUDENTS.WM_Status blank 0.00%
    STUDENTS.WM_StatusDate blank 0.00%
    STUDENTS.WM_TA_Date blank 0.00%
    STUDENTS.WM_TA_Flag blank 0.00%
    STUDENTS.WM_Tier blank 0.00%
  • PowerSchool Data Field Name Field Description Percentage of breached records containing data in this field
    TEACHERS.ID Unique identifier for each record. 100.00%
    TEACHERS.dcid Internal database identifier for the record. 100.00%
    TEACHERS.DefaultStudScrn Default screen displayed for students. 100.00%
    TEACHERS.First_Name User's first name. 100.00%
    TEACHERS.GradebookType Type of gradebook assigned to the user. 100.00%
    TEACHERS.Group Group or category the user belongs to. 100.00%
    TEACHERS.Last_Name User's last name. 100.00%
    TEACHERS.LastFirst User's name displayed as last name, first name. 100.00%
    TEACHERS.Sched_IsTeacherFree Indicates if the teacher is free during scheduling. 100.00%
    TEACHERS.Sched_Lunch Scheduled lunch period. 100.00%
    TEACHERS.Sched_Scheduled Indicates if the schedule is finalized. 100.00%
    TEACHERS.Sched_Substitute Indicates if the user is a substitute teacher. 100.00%
    TEACHERS.Sched_TeacherMoreOneSchool Indicates if the teacher works at multiple schools. 100.00%
    TEACHERS.Sched_UseBuilding Indicates if building-specific scheduling is used. 100.00%
    TEACHERS.Sched_UseHouse Indicates if house-specific scheduling is used. 100.00%
    TEACHERS.StaffPers_guid Unique identifier for staff personnel. 100.00%
    TEACHERS.TeacherNumber Unique identifier for teachers. 100.00%
    TEACHERS.Users_DCID Unique identifier for users in the database. 100.00%
    TEACHERS.Status Current status of the user's account (e.g., active, inactive). 99.37%
    TEACHERS.Email_Addr User's email address. 98.45%
    TEACHERS.StaffStatus Employment status of the staff member (0-4) 89.02%
    TEACHERS.HomeSchoolId Identifier for the user's home school. 88.98%
    TEACHERS.SIF_StatePrid State-provided unique identifier. 86.06%
    TEACHERS.SchoolID Identifier for the school. 85.09%
    TEACHERS.Home_Phone User's home phone number. 80.09%
    TEACHERS.NameAsImported Name as originally imported into the system. 77.27%
    TEACHERS.PSAccess Access permissions for PowerSchool. 74.84%
    TEACHERS.PTAccess Access permissions for parent/teacher portals. 73.24%
    TEACHERS.TeacherLoginID Login ID for the teacher. 64.06%
    TEACHERS.Ethnicity User's self-reported ethnicity (1 letter) 63.72%
    TEACHERS.Photo 0 or 1 54.78%
    TEACHERS.Title User's title or position. 48.28%
    TEACHERS.Middle_Name User's middle name. 45.75%
    TEACHERS.CanChangeSchool Indicates if the user can switch between schools in the system. 44.68%
    TEACHERS.Log Log of the user's activities or changes. 42.25%
    TEACHERS.LoginID User's unique login ID. 39.44%
    TEACHERS.Homeroom User's assigned homeroom. 30.84%
    TEACHERS.Sched_MaximumConsecutive Maximum consecutive periods allowed. 21.18%
    TEACHERS.Lunch_ID Identifier for the user's lunch account - 6 digit code 15.64%
    TEACHERS.Sched_Classroom Assigned classroom for the user. 14.96%
    TEACHERS.Sched_Department Department associated with the user's schedule. 13.16%
    TEACHERS.Sched_MaximumFree Maximum free periods allowed. 12.68%
    TEACHERS.Street User's street address. 11.07%
    TEACHERS.City City where the user resides. 11.02%
    TEACHERS.State State where the user resides. 11.02%
    TEACHERS.Zip User's ZIP code. 10.98%
    TEACHERS.Maximum_Load Maximum workload or number of assignments for the user. 7.92%
    TEACHERS.HomePage User's default homepage in the system. 4.95%
    TEACHERS.PreferredName User's preferred name. 3.64%
    TEACHERS.FedEthnicity 0 or 1 2.77%
    TEACHERS.School_Phone Phone number for the user's school. 0.15%
    TEACHERS.Sched_Team Team assignment for the user. 0.05%
    TEACHERS.TeacherLoginPW blank 0.00%
    TEACHERS.Password blank 0.00%
    TEACHERS.Access blank 0.00%
    TEACHERS.AdminLDAPEnabled blank 0.00%
    TEACHERS.AllowLoginEnd blank 0.00%
    TEACHERS.AllowLoginStart blank 0.00%
    TEACHERS.Balance1 blank 0.00%
    TEACHERS.Balance2 blank 0.00%
    TEACHERS.Balance3 blank 0.00%
    TEACHERS.Balance4 blank 0.00%
    TEACHERS.Classpua blank 0.00%
    TEACHERS.FedRaceDecline blank 0.00%
    TEACHERS.IPAddrRestrict blank 0.00%
    TEACHERS.LastMeal blank 0.00%
    TEACHERS.NoOfCurClasses blank 0.00%
    TEACHERS.Notes blank 0.00%
    TEACHERS.NumLogins blank 0.00%
    TEACHERS.PeriodsAvail blank 0.00%
    TEACHERS.PowerGradePW blank 0.00%
    TEACHERS.PrefixCodesetID blank 0.00%
    TEACHERS.Sched_ActivityStatusCode blank 0.00%
    TEACHERS.Sched_BuildingCode blank 0.00%
    TEACHERS.Sched_Gender blank 0.00%
    TEACHERS.Sched_Homeroom blank 0.00%
    TEACHERS.Sched_HouseCode blank 0.00%
    TEACHERS.Sched_MaximumCourses blank 0.00%
    TEACHERS.Sched_MaximumDuty blank 0.00%
    TEACHERS.Sched_MaxPers blank 0.00%
    TEACHERS.Sched_MaxPreps blank 0.00%
    TEACHERS.Sched_PrimarySchoolCode blank 0.00%
    TEACHERS.Sched_TotalCourses blank 0.00%
    TEACHERS.SSN blank 0.00%
    TEACHERS.supportContact blank 0.00%
    TEACHERS.TeacherLDAPEnabled blank 0.00%
    TEACHERS.TeacherLoginIP blank 0.00%
    TEACHERS.WM_Address blank 0.00%
    TEACHERS.WM_Alias blank 0.00%
    TEACHERS.WM_CreateDate blank 0.00%
    TEACHERS.WM_CreateTime blank 0.00%
    TEACHERS.WM_Exclude blank 0.00%
    TEACHERS.WM_Password blank 0.00%
    TEACHERS.WM_Status blank 0.00%
    TEACHERS.WM_StatusDate blank 0.00%
    TEACHERS.WM_TA_Date blank 0.00%
    TEACHERS.WM_TA_Flag blank 0.00%
    TEACHERS.WM_Tier blank 0.00%