Powerschool Data Breach: Student & Teacher Data Exposed

PowerSchool Data Breach Impacts K-12 Schools

PowerSchool, a leading provider of education technology, has reported a “cybersecurity incident” resulting in unauthorized access to personal data belonging to students and teachers across numerous K-12 school districts in the United States.

Company Overview and Scope

Based in California and recently acquired by Bain Capital for $5.6 billion in 2024, PowerSchool holds the position of the largest cloud-based education software provider for K-12 institutions in the U.S.

The company’s website indicates that its services support over 60 million students within the United States, reaching more than 75% of students in North America, and serving over 18,000 customers.

Details of the Incident

On December 28, PowerSchool identified a breach affecting its PowerSource customer support portal.

This unauthorized access subsequently allowed hackers to penetrate the company’s PowerSchool SIS, the system schools utilize for managing crucial student information such as records, grades, attendance, and enrollment details.

Investigations revealed the intrusion occurred through the exploitation of a compromised user credential.

Data Access and Response

Currently, PowerSchool has not disclosed the specific types of data accessed during the incident, nor the total number of individuals impacted by the breach.

Beth Keebler, a PowerSchool spokesperson, confirmed the incident to TechCrunch but refrained from providing detailed answers regarding the specifics.

Keebler stated, “We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse.”

She further assured that the incident is contained, with no expectation of data being shared publicly, and that PowerSchool’s operations remain unaffected.

Extortion and Data Types Exposed

The precise nature of the cyberattack remains under investigation.

According to reports from Bleeping Computer, PowerSchool communicated in an FAQ to affected users that the incident did not involve a ransomware attack.

However, the company was reportedly subjected to extortion in an attempt to prevent the release of the stolen data.

Exposed information potentially includes names, addresses, Social Security numbers, medical information, grades, and other personally identifiable information.

The amount paid by PowerSchool to the hackers has not been disclosed.

Ongoing Legal Challenges

In November 2024, PowerSchool faced a class action lawsuit alleging the illegal sale of student data for commercial purposes without proper consent.

The lawsuit claims the company possesses a substantial collection of student data, totaling approximately “345 terabytes of data collected from 440 school districts.”

The allegations suggest that PowerSchool gathers sensitive information under the pretense of educational support, but primarily for its own financial benefit, obscured by complex and unclear terms of service.

Contact Information

If you possess additional information regarding the PowerSchool data breach, you can securely contact Carly Page on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com from a non-work device.