Westerville, Upper Arlington and Grandview Heights school districts were among thousands of nationwide impacted by a data breach of a software platform that manages student and teacher information.
Westerville, a district of around 14,600 students, announced in an email to parents that software company PowerSchool was hit by a data breach. The district said the data breach has since been contained.
"PowerSchool is still working on identifying the scope of the data breach, but we can confirm that our student information was accessed. It is important to note that the district does not store Social Security numbers in PowerSchool," the email said.
PowerSchool provides services to over 18,000 school districts nationwide, according to its website. Some of the other districts in the Columbus area that use the software include Olentangy Local School District, Upper Arlington Schools, Grandview Heights Schools and New Albany-Plains Local Schools.
Upper Arlington's letter to parents explained the situation further. The district of about 6,500 students said PowerSchool has negotiated with the perpetrator. The company was told by the perpetrator that the data has been deleted and that no additional copies exist.
The company doesn't believe the data will be shared or made public.
The company told the Westerville district that there is no evidence of malware or ongoing unauthorized activity within their systems.
Westerville declined to comment further.
Unlike Westerville, Upper Arlington did have some social security numbers of former students accessed within its system. The district explained that it used to input that private information into PowerSchool, but hasn't done so in years.
The district said it has notified the 19 former students whose social security numbers may have been accessed. The district said that data was from 10 years ago.
Columbus City Schools told WOSU none of the district’s products or systems were impacted by this incident because the district does not use the PowerSchool SIS system. CCS does utilize three PowerSchool tools that were not affected, as confirmed by PowerSchool’s forensic review.
"We are closely monitoring the situation. While no immediate action is required from our district, we remain committed to safeguarding the security of our data and systems. As part of this commitment, we are conducting our own internal monitoring. We will continue to stay informed as PowerSchool addresses this matter," CCS said in a statement.
Westerville said the breach was limited to the PowerSchool system and did not impact other accounts used by district employees, such as Google.
"We take this matter very seriously and are very concerned about the breach that PowerSchool experienced. We remain committed to protecting the security and privacy of all our data," the email from Westerville said.
The districts that responded to WOSU said they are still working to conduct reviews of the situation, including taking more security steps if necessary and reviewing their internal systems.
