January 9, 2025
RE: PowerSchool Cyber Security Incident Update 1
Dear North Haven Families,
On January 7, 2025, North Haven Public Schools received notification of a data security incident from a contracted service provider, PowerSchool. PowerSchool is a vendor that many school districts in Connecticut, and across the globe, use to manage student information and data. In its notification, PowerSchool informed the District that the data security incident affected its PowerSchool Student Information System, a tool that the District uses to store and manage student information. PowerSchool informed the District that the incident affected the District’s data.
PowerSchool has indicated that upon learning of potential unauthorized access, they immediately contacted a 3rd party cyber security firm (CrowdStrike) to investigate the incident. They have stated that they have contained the incident and have taken steps that will further enhance data security going forward. PowerSchool has reported that it currently has no evidence that there has been any misuse of or public disclosure of the accessed information and that it believes that the data which was improperly accessed has been deleted. The cyber security firm is currently monitoring the Dark Net for any evidence that the data has been exposed. So far, there is no evidence that any of the data has been disseminated.
While PowerSchool has not directly identified the affected individuals to us at this time, the North Haven Public Schools Technology Department began an immediate internal investigation to confirm whether any of the North Haven Public Schools’ data were compromised and the details of the data that was exported from our system. In the table below, you will find a description of the general information that was stored within the data accessed without authorization in connection with the PowerSchool breach. We are continuing to gather information from PowerSchool and conducting our own analysis and we will follow up in a timely fashion with a letter to the email on file for these individuals to inform them if they were among this subset. Because we made the affirmative decision not to store student social security numbers within PowerSchool, no social security numbers or other financial information of students were included in the PowerSchool data breach.
We take the privacy of student information very seriously and expect our vendors do the same. We will continue to pursue information regarding the scope and nature of this incident, and we will provide updates to those impacted by it as we learn more. A full investigative report is expected to be released by CrowdStrike on or around January 17th. If you have any questions, please contact us via email at [email protected]
Sincerely,
Patrick Stirk Jenn Kozniewski
Superintendent of Schools Director of Technology and Safety
Types of Data Exported for All Past and Present Students:
- Graduated School
- Exclude from state reporting - numeric identifier for student attending other schools
- Lunch application submission date
- Allow Student Access to PowerSchool - Check Box entry value
- Lunch listed as last meal of the school day
- Who last modified information
- Date student enrolled in NHPS
- Student's City
- The year the current entry entered the Grad Planner - Not used
- Grade student is currently enrolled in
- Comment of why student transferred out of NHPS
- ID of user that modified something in PS
- Student's Middle Name
- Reason a student transferred out of district or unenrolled from school
- The next School a student will be enrolled in (example Middle School to High School)
- Registered, Pre-Registered, Transferred Out
- The related person in the Relationship table. Indexed.
- School Identifier for this Student's Summer School, if applicable.
- Team - Used just at the MS
- Exit date of school year or when student transfers out
- City
- IP Address of Internet Service Provider of a student's last login in PowerSchool
- Locker Combination stored for MS and HS students
- Set to 1 if a photo exists for this student, if no photo obtained, it is just a numeric value
- Student's Home Phone
- Mailing Street
- Ethnicity
- Grade Level a student entered into school
- Student Password (legacy field not in use currently) - exported as hashed, changed over to Google SSO to negate credentials on 1/8, We are encouraging PW changes for any MS/HS student using lunch code and will reset all elementary student passwords for them
- Student's Doctor's Name
- Globally unique ID number for this table for SIF compliance. Indexed.
- Bus Route-not used
- Legacy full time equivalency number
- If a student paid tuition- N/A
- Exclude from Class Rank
- Mailing State
- School ID Number
- Student's background ID
- Grade level student entered into district
- True/False. Used for state reporting to indicate he or she is enrolled at the state level.
- Code student entered-Enrolled, re-enrolled, retained
- Next grade for Students-used for scheduling purposes
- The amount of a student's membership this school claims. If a student attends more than one school each one will only be able to claim a certain portion of the membership. The largest number for this will usually be 1 and fractions expressed as decimals. Like .5 or .25.
- Reason student exited NHPS
- Team student will be on next year-MS Only-for scheduling purposes
- Lock Loading Student Schedule
- Priority set for scheduling
- Student's Locker Number
- Student Number
- Identifier that ties students in the same family together
- GPA
- Graduation Year
- State
- Information regarding why/where a student is transferring from
- Street
- Powerlink Language
- Enrolled, transferred out
- District Enrolled
- Date student entered district
- ID number of School enrolled in
- A flag indicating if this student has had a schedule built for them. True means they do have a schedule and another will not be made unless the engine is told to reschedule regardless of this flag. False, the engine will build a schedule for this student next time.
- Zip Code
- The rank for the student as of the last time GPA calculations ran based on their custom calculations.
- Date entered for school year
- Gender
- Student PowerSchool Username - Tech Department migrated all students to Google Logins on Jan. 8th to nullify this risk
- Used to indicate which home room teacher a student will have next year for scheduling- we do not use this field
- Legacy- date of record creation
- ID for lunch
- Free, Reduced, Paid Lunch Status
- Cumulative points
- Doctor's phone number
- Reason student exited NHPS
- Access ID for parents to create accounts- NOT parent account credentials- this is only for initial account creation and is not the parent username or password. Reset by Tech Department on January 8
- Next building student will be enrolled in for upcoming year
- State student ID
- When a student is transferred between schools, the date that enrollment is pending
- Student's First Name
- Graduated School ID- Default code for student who have graduated
- The simple percent GPA for the student as of the last time GPA calculations ran.
- The graduation requirements this student follows.
- Notes about transferring students.
- Student's Date of Birth
- Student's Last Name
- Access code for parents to create accounts (NOT parent account credentials)- exported as hashed but Tech Dept reset all on Jan 8th as precaution
- Enrollment ID number
- Emergency Contact 1 Phone Number
- Mother's name
- Emergency Contact 2 Phone Number
- Student Number
- Home Room
- Student's Graduating Class
- Fee Balance
- Emergency Contact 2 Name
- Fee Balance
- Father's Name
- Zip Code
- Fee Balance
- Students Full Name
- Date Received Lunch Application
- Check Box to allow student access to PowerSchool portal
- Ethnicity
- Full Time Equivalency
- Code for enrolling-EN, RE, PR
- Guardian Email (legacy field, not used for several years)
- Emergency 1 Contact Name
- Rank for Graduation