Despite being just February, the recent cyberattack on U.S. edtech leader PowerSchool could emerge as one of the year’s most significant data breaches.
PowerSchool, which delivers K-12 software services to over 18,000 schools, thereby catering to approximately 60 million students throughout North America, acknowledged the breach in early January. The California-based enterprise, which was acquired by Bain Capital for $5.6 billion in 2024, reported that hackers exploited compromised credentials to infiltrate its customer support portal. This breach subsequently granted access to its school information system, PowerSchool SIS, which schools utilize for managing student records, grades, attendance, and enrollment data.
“On December 28, 2024, we became aware of a possible cybersecurity incident involving unauthorized access to certain PowerSchool SIS information via our community-focused customer portal, PowerSource,” stated PowerSchool spokesperson Beth Keebler to TechCrunch.
PowerSchool has been transparent about specific aspects of the breach. Keebler informed TechCrunch that the PowerSource portal did not have multi-factor authentication enabled at the time of this incident, whereas PowerSchool’s main system was secured with it. Yet, numerous critical inquiries remain unanswered.
TechCrunch posed several unresolved questions regarding the incident, which could significantly affect millions of students across the U.S. However, Keebler refrained from answering these questions, stating that updates regarding the breach would be communicated on the company’s incident page. The company announced on January 29 that notifications would begin to be sent to individuals and state regulators impacted by the breach.
PowerSchool communicated to its customers that it would provide an incident report from cybersecurity firm CrowdStrike, which was hired to examine the breach, by mid-January. However, several sources associated with the affected schools have indicated to TechCrunch that they have yet to receive this report.
Customers of PowerSchool have numerous unanswered questions, leading those impacted by the breach to collaborate in investigating the incident.
Below are some of the remaining unanswered questions.
The extent of affected schools and students remains unclear
TechCrunch has been informed by schools impacted by the PowerSchool breach that its scope might be “massive.” However, PowerSchool has consistently refrained from disclosing the number of schools and individuals affected, despite stating to TechCrunch that it had “identified the schools and districts whose data was involved in this incident.”
Bleeping Computer, referencing multiple sources, states that the hacker behind the PowerSchool breach reportedly accessed the personal information of over 62 million students and 9.5 million teachers. PowerSchool has repeatedly declined to verify this figure.
Although PowerSchool hasn’t disclosed a specific number, its recent filings with state attorneys general indicate that millions of personal records may have been compromised during the breach. For instance, in a report to Texas’ attorney general, PowerSchool acknowledged that nearly 800,000 residents of the state had personal data exposed.
Communications from the school districts that suffered breaches provide a general sense of the scale involved. For example, the Toronto District School Board (TDSB), which serves approximately 240,000 students annually, reported that the hacker might have accessed around 40 years of student data, including almost 1.5 million students’ records taken in the breach. Similarly, the Menlo Park City School District in California confirmed that information regarding all current students and staff—approximately 2,700 students and 400 staff—was also accessed, along with data from students and staff dating back to the 2009-2010 academic year.
The specific types of stolen data remain undetermined
Not only is the total number of affected individuals uncertain, but the types of data accessed in the breach also remain unclear.
In a communication provided to its customers earlier in January, which was reviewed by TechCrunch, the company acknowledged that the hacker obtained “sensitive personal information” pertaining to students and teachers, including academic records, attendance, and demographic details. The company’s incident page also noted that stolen data could involve Social Security numbers and medical information, but clarified that “the information exfiltrated varied among our customer base based on differing requirements.”
Additionally, multiple schools impacted by the breach mentioned to TechCrunch that “all” of their historical data related to students and teachers had been compromised.
An individual associated with one affected school district revealed to TechCrunch in February that the stolen information contained sensitive details about students, including parental access rights and information relating to medications required by certain students.
A source revealed to TechCrunch that PowerSchool has equipped affected schools with a “SIS Self Service” tool that can query and present a summary of the customer data stored within the PowerSchool systems. Nonetheless, PowerSchool informed these schools that the tool “may not accurately depict data that was exfiltrated during the breach.”
It remains unclear whether PowerSchool possesses any technical resources, such as logs, to identify the specific types of data stolen from individual school districts.
PowerSchool has not disclosed any ransom amount paid to the hackers
PowerSchool confirmed to TechCrunch that it has taken “appropriate steps” to prevent the stolen data from being made public. In communications to its clients, the company indicated that it enlisted the help of a cyber-extortion incident response firm to negotiate with the attackers responsible for the breach.
This implication strongly hints that PowerSchool may have paid a ransom to the hackers who compromised its systems. However, when TechCrunch inquired, the company withheld information on the amount paid and the original ransom demand.
Uncertainty remains regarding evidence of data deletion
Keebler from PowerSchool informed TechCrunch that the company “does not expect the data to be shared or publicly released,” expressing confidence that the data has been deleted without further replication or dissemination.
However, PowerSchool has repeatedly avoided disclosing what evidence it possesses suggesting that the stolen data has indeed been deleted. Early reports mentioned that the company received video evidence, yet PowerSchool has neither confirmed nor denied this when questioned by TechCrunch.
Even if there is proof of deletion, it does not guarantee that the hackers no longer possess the data. For example, the U.K. recent takedown of the LockBit ransomware group uncovered proof that the group still held data from victims who had complied with ransom demands.
Details about the perpetrators remain unknown
A significant unknown about the PowerSchool cyberattack is the identity of those responsible. The company has had communications with the hackers but has chosen not to disclose their identity, if it is known. CyberSteward, the Canadian incident response organization that PowerSchool collaborated with on negotiations, did not respond to TechCrunch’s inquiries.
The findings from CrowdStrike’s investigation are still unexplained
PowerSchool is collaborating with CrowdStrike to probe the breach. Customers were informed that the security firm’s findings would be made public by January 17. However, as of now, the report has not been released, and affected school districts have reported to TechCrunch that they have not yet seen the report. CrowdStrike refused to comment when approached by TechCrunch.
CrowdStrike did release an interim report in January, which TechCrunch has examined, but it did not provide any new details regarding the breach.
If you have additional information about the PowerSchool data breach, we would like to hear from you. From a non-work device, contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
