NEWPORT — The personal information of students and staff in at least three school districts in the Upper Valley has been compromised by a nationwide cyberattack on a company that provides database software to K-12 schools.

California-based PowerSchool discovered in late December that hackers had used stolen credentials to download student and teacher information databases throughout the U.S.

The Claremont, Newport and Rivendell school districts each learned on Jan. 7 that the breach had compromised their student information systems.

The stolen data primarily contains contact details such as names and addresses, but “could also include Social Security numbers (SSNs), personally identifiable information, (PII), medical information, and grades,” the Newport School District stated in a Jan. 9 announcement.

Particularly irksome to the distinct was the length of time it took PowerSchool to notify its customers after it discovered the breach on Dec. 28.

“We are further upset by PowerSchool’s unacceptable 10-day delay in notifying us about the breach,” the announcement, which was sent to staff members and parents and guardians, stated.

The Rivendell Interstate School District learned that its student database had been accessed, but that only certain categories of data had been compromised. The district serves students in Orford, N.H. and Fairlee, Vershire, and West Fairlee, Vt.

“Data in this breach include student and staff records including, first names, last names and dates of birth,” Superintendent Jennifer Botzojorns wrote in a letter to families and staff members on Jan. 10. Social Security numbers and health information were not included in the Rivendell breach, Botzojorns wrote.

The records included in the security breach extend from the 2018-2019 school year to the present, her letter said.

The Claremont School District was similarly impacted. The district does not enter Social Security numbers into PowerSchool, Superintendent Chris Pratt said by email Tuesday. Other identifying information, including medical information, was potentially compromised.

In a letter to families and staff, Pratt recommended that anyone potentially impacted by the breach monitor their financial and online accounts for unusual activity and consider using identity protection services.

PowerSchool is the parent company of SchoolSpring, one of the most widely used education job boards in the U.S.

Although Hartford uses SchoolSpring to post open positions, it does not use any other PowerSchool products, and was not impacted by the breach, interim Superintendent Caty Sutton said by email Monday.

Neither Lebanon, Mascoma Valley Regional, White River Valley, Mountain Views, nor Windsor Southeast were impacted, as those districts do not use PowerSchool’s software.

The Lebanon School District moved away from PowerSchool in 2023 after their database was hit with a cyberattack in June of that year. The attack prompted the district to temporarily shut down its payroll and student information systems. It now uses Portland, Ore.-based Alma, which is used by about 33% of school districts in New Hampshire, according to the state’s Department of Education.

PowerSchool will reach out to families and school staff whose information was compromised and provide access to credit monitoring services, Botzojorns’ letter said.

Christina Dolan can be reached at cdolan@vnews.com or 603-727-3208.