An IT provider for the public-school pupil information system has taken steps to strengthen its cybersecurity apparatus, the Commissioner of Education wrote in a message to parents.

Kalmar Richards was giving an update on the incident experienced by PowerSchool late last December.

The provider suffered a cybersecurity hack when an unauthorised party gained access to its systems via a compromised credential.

In a message seen by The Royal Gazette, Ms Richards told a parent that she was sending the note because PowerSchool had confirmed that information belonging to the parent’s child was “potentially involved in this incident”.

Details that may have been affected included the parent’s name and e-mail address, as well as the child’s student number.

Ms Richards’s note said that PowerSchool had given assurances that its systems remained secure and that there had been no further unauthorised activity.

The US-based organisation said it found no evidence of malware — disruptive software usually used in cybercrimes.

“Further, the data has not been found for sale or download on the dark web or other platforms,” the message from Ms Richards added.

The note explained: “The company says it has implemented significant security upgrades to prevent further incidents, including:

• Strengthening login security measures for all employees and contractors

• Enhancing system access restrictions and monitoring

• Increasing security audits and reducing access time windows for system maintenance

• Establishing a customer security advisory council to improve security collaboration with school districts

“While the matter is now considered closed, families with concerns are encouraged to contact the Office of the Commissioner at coe@moed.bm.”

The Government confirmed on January 10 that it had been notified of the cybersecurity incident affecting PowerSchool users.

It said then: “This breach occurred on PowerSchool’s internal systems.

“The breach has not affected any of Bermuda public schools’ other systems or networks.

“This was an isolated incident specific to PowerSchool's infrastructure. According to PowerSchool, malware was not involved in this incident.”

Ms Richards added at the time: “It is worth noting that this breach is on PowerSchool’s international system and has not affected any of the ministry’s local systems.”

Alexander White, the Privacy Commissioner, said then that the education commissioner and the Department of Education had carried out the correct steps under the newly enacted Personal Information Protection Act in response to the hack.

PowerSchool is a provider of cloud-based K-12 education software. It provided services in more than 90 countries and to thousands of students and school organisations.