Public schools IT provider suffers cybersecurity breach
Public schools across the island were the victims of a cybersecurity hack, the Department of Education has confirmed.
In a statement tonight, a spokeswoman for the ministry said that a student information system provider for public schools suffered a “cybersecurity incident" that affected its customers.
The spokeswoman said that the provider — PowerSchool — suffered a security breach when an unauthorised party gained access to its systems via a compromised credential.
She added: “This breach occurred on PowerSchool’s internal systems.
“The breach has not affected any of Bermuda public schools’ other systems or networks. This was an isolated incident specific to PowerSchool's infrastructure.
“According to PowerSchool, malware was not involved in this incident. PowerSchool has advised the department that the incident has been contained and that their systems remain secure.
“The unauthorised access allowed the party to reach the management console of PowerSchool’s Powersource tool.
“The data that may have been compromised includes family and staff contact information such as name and address information.
“PowerSchool has also indicated that for some individuals across their customer base, some personally identifiable information, or PII, such as medical information may have been impacted. They are still investigating whether PII belonging to our students was included.
“PowerSchool believes that the compromised data has been deleted and will not be shared publicly. They are actively working to prevent further unauthorised access or misuse of data.”
The spokeswoman said that PowerSchool was a leading provider of cloud-based K-12 education software based in the United States, providing services in more than 90 countries and to thousands of students and school organisations.
Kalmar Richards, the Commissioner of Education, has informed the Office of the Privacy Commissioner about the incident.
Additional information will be provided to the commissioner, school staff and families as it becomes available.
Ms Richards said: “We are in close contact with PowerSchool and are actively monitoring the situation. It is worth noting that this breach is on PowerSchool’s international system and has not affected any of the ministry’s local systems.
“We understand that this incident may raise concerns, and appreciate your continued understanding as we work to address this issue. The safety and security of our students’ and staff’s data remains a top priority.
“PowerSchool has informed us that it has contained the breach and is working to prevent any further unauthorised access or misuse of the compromised data.
“They are taking steps to ensure the data will not be publicly shared. They continue to investigate the incident and will share information as it becomes available.”
Families and staff with any questions or concerns may contact the Office of the Commissioner by e-mail at coe@moed.bm.