Data and personal information of LMSD students and families may have been accessed during a cybersecurity breach on Powerschool earlier this year. On January 8, 2025, LMSD sent out an email to parents and guardians informing them of a cybersecurity incident involving PowerSchool, an educational software company, which owns educational platforms such as Schoology, which is also used by the district. According to PowerSchool, LMSD was among many of their clients around the world whose data may have been accessed during this breach.
So what kind of information could have been accessed? PowerSchool, on their official website, stated that “For involved individuals, the types of information exfiltrated in the incident included one or more of the following, which varied by person: the individual’s name, contact information, date of birth, limited medical alert information, Social Security Number, and other related information.”
PowerSchool revealed that someone used a compromised credential to access data stored in the Student Information System (SIS). When PowerSchool became aware of this incident, they immediately notified law enforcement, locked down the system and enlisted the help of CyberSteward, a professional cybersecurity firm experienced in managing cybersecurity incidents and negotiating with threat actors. According to PowerSchool, they have received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”
Regarding the potential impacts of this incident within LMSD , initial reports suggest that Personally Identifiable Information (PII) may have been compromised for both staff and students. This could include basic contact information such as names and addresses, life safety health details, and grade information for current and former LMSD students, as well as parent or guardian contact data. Regarding more personal information such as Social Security Numbers, the district stated that “It does not appear that staff social security numbers were accessed; however, we are working to confirm this information.” Additionally, they emphasized that,”LMSD does not retain student social security numbers.”
Although PowerSchool has stated that, “While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations.” LMSD has taken extra precautionary steps by working with the district cyber security contractor, Crowdstrike, which is also working alongside PowerSchool to ensure a thorough review of the incident. Additionally, LMSD has notified its solicitor’s office, insurance provider, and Montgomery County District Attorney’s office, as required by District Policy and Administrative Regulation 832 regarding Cybersecurity Breach and Response.
As of January 27, 2025, LMSD received updated information from PowerSchool regarding the incident that impacted their SIS. After investigating, LMSD has confirmed that no LMSD staff social security numbers were accessed during the breach. Additionally, LMSD has outlined the efforts PowerSchool has taken to strengthen security moving forward. They stated that, “PowerSchool has engaged Experian, a trusted credit reporting agency, to offer complimentary identity protection and credit monitoring services to all students and educators whose information from your PowerSchool SIS was involved. This offer is being provided regardless of whether an individual’s Social Security number was exfiltrated.”
LMSD will continue to update the community and urges students, staff and families to be on the lookout for communications directly from Powerschool and the credit monitoring service Experian regarding identity protection and credit monitoring services being offered.
