PowerSchool Breach: Impact of Company Verification

In an earlier statement, the company said it became aware of a “potential cybersecurity incident” involving one of its “community-oriented” online portals called PowerSource on Dec. 28.

“PowerSchool has not experienced and does not expect any disruptions and continues to provide services to our customers as usual,” the company said in a statement. “As soon as we became aware of the incident, we immediately activated our cybersecurity response protocols and mobilized a cross-functional response team, including senior management and third-party cybersecurity experts.”

In letters to parents this week, superintendents of Needham and Nashoba regional districts said the company notified them that an “unauthorized party” had accessed personal information of students and teachers in the school districts using the PowerSchool SIS platform.

The breach affected a variety of district data, including student accounts, grades, attendance and enrollment, school officials said.

It’s unclear how many school districts in Massachusetts have contracted with PowerSchool; A spokesman for the state Department of Elementary and Secondary Education said the agency does not track which districts use the software.

The names and home addresses of students and teachers at Needham and Nashoba Regional Public Schools have been compromised, according to letters from superintendents. The data may also include social security numbers and medical and grade information of current and former students, depending on the specific school district, officials said.

“This news is extremely concerning as we are entrusted with the security of private information,” Nashoba Regional School District said in a statement. “We will provide more information as it becomes available.”

Needham School officials became aware of a “potential cybersecurity incident” Tuesday after PowerSchool reported that the information was obtained using compromised credentials, Superintendent Dan Gutekanst said in a statement.

Needham has not used PowerSchool to collect Social Security information for years, and school officials have not received confirmation that Needham schools were affected by the hack, the statement said. PowerSchool will provide “credit monitoring” to affected adults and “personal data protection services” to affected minors.

“When we have more information … we will pass it on to the families and the community, as well as any specific individuals affected,” Gutekanst said in the letter. “The county is also looking into what happened domestically and whether we need to take additional security measures on our end.”

Other Massachusetts areas affected by the breach include Woburn, Westford and Millis, WHDH-TV reported Their executives could not be reached for comment Thursday morning.

Meanwhile, a Massachusetts State Police spokesman said the agency “is aware of a potential cybersecurity incident involving the PowerSchool student information system from reports by education officials to the Massachusetts Commonwealth Fusion Center Cybersecurity Program.”

State police “encourage PowerSchool customers to seek guidance directly from the vendor to understand the potential impact to their organization,” the agency said.

Additional states with school districts affected by the breach include Connecticut, North Carolinaand Indianaaccording to published reports.

In less than a week in 2025, there have already been 22 data breaches affecting more than 23,000 Massachusetts residents, state data as of January 6 show. This number does not yet include PowerSchool breaches affecting school districts.

The largest breach this year occurred at the Northeastern Network of Rehabilitation Hospitals, affecting more than 22,514 Massachusetts residents. Massachusetts requires companies and other organizations that have personal information to notify the state of a breach.

This report used material from previous Globe stories and the Globe Data team also contributed. This breaking story will be updated as more information is released.

Travis Andersen can be reached at [email protected].