![PowerSchool Data Security Incident]([{"url":"https://resources.finalsite.net/images/f_auto,q_auto,t_image_size_1/v1738247388/ashnl/rpxxd2qd3tfjgvjjg2s1/Poweschool.png","width":256},{"url":"https://resources.finalsite.net/images/f_auto,q_auto,t_image_size_2/v1738247388/ashnl/rpxxd2qd3tfjgvjjg2s1/Poweschool.png","width":512},{"url":"https://resources.finalsite.net/images/f_auto,q_auto,t_image_size_3/v1738247388/ashnl/rpxxd2qd3tfjgvjjg2s1/Poweschool.png","width":800},{"url":"https://resources.finalsite.net/images/f_auto,q_auto,t_image_size_4/v1738247388/ashnl/rpxxd2qd3tfjgvjjg2s1/Poweschool.png","width":1200},{"url":"https://resources.finalsite.net/images/f_auto,q_auto,t_image_size_5/v1738247388/ashnl/rpxxd2qd3tfjgvjjg2s1/Poweschool.png","width":1600},{"url":"https://resources.finalsite.net/images/f_auto,q_auto,t_image_size_6/v1738247388/ashnl/rpxxd2qd3tfjgvjjg2s1/Poweschool.png","width":2200}])
As you may know or recollect, ASH uses the solution of PowerSchool Holdings, Inc. ("PowerSchool") as its student information system. This system is used to store certain information about ASH students and parents. Since we started using this system, we have received m any requests for information from our (former) students. As of 2004, we have elected to keep all information available in order to respond to such requests.
On Wednesday, January 8, 2025, PowerSchool informed us of unauthorized access to their systems by a third party (the "Incident").
What happened?
PowerSchool recently fell victim to cybercrime. As a result, an unauthorized third party gained access to the customer support portal for PowerSchool products. Through this support tool the unauthorized third party was able to extract certain data that was stored on PowerSchool Products of schools around the world using PowerSchool, without having actual access to those school's IT systems. The information extracted included personal identifiable information of current and former ASH students. None of the IT systems of American School of The Hague were affected in any way.
Although the information concerned is in general not sensitive, according to the GDPR, and of a generic nature, we feel obliged to inform you of this incident, nevertheless.
From an operational perspective PowerSchool was able to prevent further unauthorized access to the affected part of the system quickly with the help of external experts and took additional protective measures.
In addition, upon notification, we also took measures to prevent repetition of the incident by resetting access to and disconnecting the support tool of the PowerSchool main services.
PowerSchool has informed us that they made arrangements with the unauthorized third party to delete the stolen data in the interest of protecting the personal data of current and former students. The attacker has assured PowerSchool that all data has been deleted. However, we cannot provide complete certainty about this.
In addition to informing you about the incident, we will also report the incident to the Dutch Data Protection Authority.
What does this mean for you?
You are receiving this letter because your data has been downloaded. This data consists of: your student's first and last name, in some cases the first and last name of parents/guardians, guardians’ email address, and their Dutch phone number, your student’s date of birth, and gender, And in some cases, your student’s physical address, doctor’s name and phone number, and emergency contact name and phone number.
Note that with the exception of current or recent students, this information is most likely outdated.
Preventing and mitigating negative consequences for current and former students is our highest priority. Therefore, in addition to informing you about the incident, we would like to provide you with guidance on how to recognize fraud and what to do if you suspect your personal data is being misused.
Criminals may attempt to misuse your data. Therefore, we advise you to remain extra vigilant for unexpected or suspicious phone calls, emails, or text messages asking for information about yourself. If in doubt, never share your information with someone who contacts you unsolicited or purporting to work for ASH.
For additional tips, we advise you to consult this information page from the Dutch Data Protection Authority: https://www.autoriteitpersoonsgegevens.nl/en/themes/security/data-breaches/victim-of-a-data-breach-this-is-what-you-can-do
What happens next?
As mentioned, we will notify the Dutch Data Protection Authority. We have double-checked our own security and will continue to do so regularly, and operational impact was minimal. We believe we have received all relevant information from PowerSchool and all necessary measures have been taken to prevent repetition. We do not believe further action is required, but you may have questions or suggestions for us. In that case, please contact us at dpo@ash.nl.
We highly value the protection of our alumni personal data and aim to communicate transparently about it. Consistent with General Data Protection Regulation, we are trying to contact all alumni who may have been affected. If you have not been contacted and believe you may have been affected, please feel free to contact our Data Protection Officer (DPO) at dpo@ash.nl
We apologize for any inconvenience caused.
Courtney Lowe
Director