PowerSchool, a leading U.S. edtech company, has commenced notifications to individuals impacted by a data breach that occurred in December 2024, which is expected to affect millions of educational professionals and students throughout North America.
In a recent statement released on Monday, PowerSchool announced that it had initiated the process of filing mandatory regulatory notifications following the breach. This incident involved hackers utilizing a compromised account credential to infiltrate the company’s customer support portal, leading to the extraction of extensive sensitive data belonging to students and teachers. Previously, PowerSchool informed TechCrunch that the breached account did not utilize multi-factor authentication for security.
Based in California, PowerSchool has already reported a data breach to the Attorney General of Maine, confirming that over 33,000 residents from the state experienced data theft during this breach. While Maine law typically mandates organizations to disclose the full number of individuals affected, PowerSchool has yet to provide this information.
Bleeping Computer, referencing various sources, states that the hackers involved in the PowerSchool breach may have accessed the personal information of more than 62 million students and 9.5 million teachers. PowerSchool claims on its platform that it serves over 60 million students.
When queried about the authenticity of the reported figure indicating that 62 million students might be affected, PowerSchool spokesperson Beth Keebler (via crisis communication firm FTI Consulting) mentioned to TechCrunch that the organization “cannot confirm” a specific count of impacted individuals as the data review process is still underway. PowerSchool indicated that updates would be shared with state attorneys general as this process continues, implying that the actual number of affected residents in Maine could surpass the currently reported figure of 33,000.
“The complexity of this process arises because the data review for on-premises clients requires additional coordination between PowerSchool and those clients,” remarked the spokesperson for PowerSchool.
Millions of students confirmed as affected
Numerous questions remain about the PowerSchool data breach: It is still unknown who orchestrated the attack, what proof PowerSchool allegedly received confirming the deletion of its stolen data, and how much the company potentially paid in ransom to the cybercriminals. The scarcity of information related to the incident has compelled affected school districts to collaborate in assessing the extent and consequences of the breach.
In a statement on its incident page, PowerSchool asserts it cannot yet verify which types of sensitive information were accessed “because this varies for each customer and is based on their selections or district policies and regulations.” TechCrunch has received reports from multiple affected school districts that virtually “all” of their historical data stored in PowerSchool, including sensitive information concerning parental access rights to their children, was compromised.
The Toronto District School Board (TDSB), which recently confirmed that hackers accessed nearly 40 years’ worth of student data, is currently the most severely impacted entity, with approximately 1.5 million students’ data compromised. A letter to parents, examined by TechCrunch, disclosed that the stolen data includes details such as gender, grade level, medical information, and accommodation data.
Bleeping Computer also includes the Calgary Board of Education (CBE) among those affected by the incident, noting that data pertaining to over 500,000 students was also compromised. CBE spokesperson Joanne Anderson stated in a communication to TechCrunch that the board “has not received confirmation from PowerSchool regarding the number of impacted students and staff or specific details of the data that was accessed.”
The impacted school districts are also reaching out to individuals whose data was compromised during the PowerSchool breach. The West Ada School District in Idaho, which serves nearly 40,000 K-12 students, informed parents in a letter reviewed by TechCrunch that personal information including “life-safety health and grade information for current and former students” was accessed.
Alexandria City Public Schools in Virginia, catering to over 16,000 students, has also confirmed the breach of student data. In a letter distributed to parents, the district mentioned that hackers accessed personal information, medical records, and free meal status of students.
Additionally, a statement from the Rochester City School District confirms that 134,000 students were included in the data breach. The district, managing 46 schools in New York, indicated that the accessed information includes legal alerts and medical conditions.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
