Top Bar

Lower Merion High School

Off-Canvas

LMHS Newsroom

PowerSchool Impacted by Cybersecurity Incident

Dear LMSD Community,

Late yesterday, PowerSchool notified our IT Department that LMSD was among PowerSchool’s many worldwide clients whose data may have been accessed during a cybersecurity incident. They became aware of the incident on December 28, 2024.

In light of this disclosure, our IT researched access to our system and saw that an unauthorized access to our system occurred on December 21, 2024. We are awaiting more information; however, want to ensure our community is aware that is an ongoing situation that is being investigated at this time.

What happened?

According to PowerSchool, someone used a compromised credential to access data stored in their Student Information System (SIS). When PowerSchool became aware of the incident, they notified law enforcement, locked down the system and engaged the services of CyberSteward, a professional advisor with experience in negotiating with threat actors. PowerSchool states that they have received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”

What data could have been accessed?

LMSD will receive a briefing from PowerSchool at 3:00 p.m. today to learn more about how LMSD specifically may have been impacted.

Initial information from PowerSchool indicates that Personally Identifiable Information (PII) for staff and students may have been accessed for some districts. This may include contact information, including names and addresses, some life-safety health and grade information for current and former students, and parent/guardian names and addresses. It does not appear that staff social security numbers were accessed; however, we are working to confirm this information. (LMSD does not retain student social security numbers).

Once PowerSchool lets us know what information from LMSD may have been accessed, we will work with them to ensure that any impacted individuals are notified and that appropriate next steps are taken.

What happens next?

PowerSchool has stated, “While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.”

While PowerSchool is responsible for this incident and its impact, out of an abundance of caution, LMSD has notified its cybersecurity contractor, Crowdstrike, to direct our further response. Crowdstrike is also working directly with PowerSchool to investigate the incident and anticipates a full report will be available around January 17, 2025. LMSD is also in consultation with its solicitor’s office and insurance provider, as directed by District Policy and Administrative Regulation 832 Cybersecurity Breach and Response, and has notified the office of the Montgomery County District Attorney.  

Who can I contact with questions and concerns?

We anticipate PowerSchool will be providing impacted individuals with resources for additional information, which we will share at that time.

LMSD is committed to protecting our student, staff and family data and will continue to communicate with transparency about this incident.

Sincerely,

Dr. Larry Mussoline
Acting Superintendent