LMSD Included In School System Data Breach

LOWER MERION TOWNSHIP, PA — The Lower Merion School District said the system it uses to store student information was breached last month.

In a letter to the district community, Acting Superintendent Dr. Larry Mussoline said education software company PowerSchool learned of the breach on Dec. 28, 2024.

District IT professionals investigated their own system and found it was accessed by an outside actor on Dec. 21, 2024.

Mussoline said personally identifiable information for staff and students may have been accessed. That information may include names, addresses, some life-safety health, grade information for current and former students, and parent/guardian names and addresses.

No student social security numbers were accessed, as the district does not store student SSNs, he said. Mussoline said staff SSNs could have been accessed, but so far nothing indicates that happened.

"Once PowerSchool lets us know what information from LMSD may have been accessed, we will work with them to ensure that any impacted individuals are notified and that appropriate next steps are taken," he said.

The district said it anticipates PowerSchool will provide anyone impacted with resources for additional information.

According to PowerSchool, someone used a compromised credential to access data stored in their Student Information System. When PowerSchool became aware of the incident, they notified law enforcement, locked down the system and engaged the services of CyberSteward, a professional advisor with experience in negotiating with threat actors. PowerSchool said they have received "reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist."

"While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations," PowerSchool said.

The district notified its cybersecurity contractor, Crowdstrike, to direct its further response. Crowdstrike is also working directly with PowerSchool to investigate the incident and anticipates a full report will be available around Jan. 17, the district said.

LMSD is also in consultation with its solicitor’s office and insurance provider, as directed by district policy and Administrative Regulation 832 Cybersecurity Breach and Response, and has notified the office of the Montgomery County District Attorney.