U.S. Sen. Maggie Hassan met with school and technology administrators in Hudson on March 17 to discuss the recent PowerSchool security breach. Telegraph photo by CHRISTOPHER ROBERSON

HUDSON – U.S. Sen. Maggie Hassan (D-NH) recently met with school and technology administrators to discuss the aftermath of the PowerSchool security breach and how to prevent such an incident from happening again.

Students’ and teachers’ personal information had been compromised as a result of the breach which was discovered on Dec. 28, 2024. This information included names, addresses, birth dates and Social Security Numbers which are all stored in the company’s Student Information System.

In response, PowerSchool hired cybersecurity firm CyberSteward to ensure that no personal information was released on the dark web. At this time, it is not known who is responsible for the cyberattack as the incident continues to be investigated by the FBI and cybersecurity firm CrowdStrike.

Based in Folsom, Calif., PowerSchool provides services to approximately 18,000 school districts in 90 countries.

During the March 17 meeting at Alvirne High School, Dr. Clifton Dancy, director of Information Services for the Derry Cooperative School District, said the cyberattack was executed using “backdoor access.”

Kenneth Weeks, information security officer for the state’s Information Technology Department, said software companies will often make changes to appease the consumer.

“Things get introduced for convenience,” he said.

However, Weeks said that such changes, combined with a lack of due diligence from subcontractors, can create opportunities for cyberattacks.

“Let’s get this in a cloud-based environment,” he said.

In addition, Weeks said funds should always be allocated for cybersecurity as grants are no longer sufficient.

“We have to look at cybersecurity as critical infrastructure,” he said.

Because of budget constraints, Dancy said there is always a push for schools to keep even obsolete software for “one more year.”

“Technology is one of those places that’s outside the contracted stuff,” he said.

Therefore, he suggested a request for additional funding from the E-Rate program under the Federal Communications Commission.

Dr. Meredith Nadeau, superintendent of School Administrative Unit 21, said students have come to accept that much of their private information is readily available online.

“It shouldn’t be that way,” said Nadeau.

Regarding the response to the breach, she said PowerSchool’s communication with school administrators has been lacking.

“It was not as rapid as it should have been,” she said.

Michael Barry, superintendent of School Administrative Unit 39, said the “lag in response” from PowerSchool has made it challenging to reassure parents that their children’s information is safe.

“We’re in a really tough spot, they’re a third party vendor,” he said.

Kevin Peterson, information technology director for the Hudson School District, said he and his colleagues have always been outnumbered by cybercriminals.

“There’s way more of them out there than there are of us in our small IT team,” he said.

Peterson also predicted that within the next 10 years, Social Security Numbers will no longer be accepted to verify a user’s identity.

On Feb. 21, Hassan, together with U.S. Sen. James Banks (R-IN) and U.S. Sen. James Lankford (R-OK), sent a letter to PowerSchool demanding answers.

“I’m pushing PowerSchool to give us a full report,” said Hassan. “One of my priorities has been to push for IT modernization. It’s an ongoing safety and fiscal issue.”

In their letter, Hassan, Banks and Lankford lashed PowerSchool for not issuing an immediate alert.

“While the breach occurred as early as December 19, 2024, you failed to detect it until December 28, 2024,” they said. “Moreover, you did not notify SIS customers of the incident until January 7, 2025 – nineteen days after the incident. Your delayed and unclear communication is unacceptable, especially given the sensitive nature of the personal data that was stolen.”