PowerSchool Data Breach: Student & Teacher Notifications Begin

PowerSchool Data Breach Impacts Millions of Students and Teachers

The prominent U.S. educational technology company, PowerSchool, has initiated notifications to individuals impacted by a substantial data security incident that occurred in December 2024.

Breach Details and Initial Response

PowerSchool announced on Monday that it has commenced fulfilling its legal obligations regarding regulatory notifications following the breach. Attackers exploited a compromised account credential to gain access to the company’s customer support portal, resulting in the extensive extraction of sensitive data pertaining to students and educators.

Previously, PowerSchool informed TechCrunch that the account utilized in the attack lacked the protection of multi-factor authentication.

Maine Data Breach Notification

A data breach notification filed with the Maine attorney general reveals that the personal information of over 33,000 residents of that state was compromised during the incident.

Despite Maine law generally requiring disclosure of the total number of affected individuals, PowerSchool has not yet released a comprehensive figure.

Reported Scale of the Breach

According to reports from Bleeping Computer, citing various sources, the hackers potentially accessed the personal data of more than 62 million students and 9.5 million teachers.

PowerSchool’s own website states that its technology serves over 60 million students nationwide.

Confirmation of Affected Numbers

When questioned about the reported figure of 62 million affected students, PowerSchool spokesperson Beth Keebler, through FTI Consulting, stated that the company “cannot confirm” a precise number due to the ongoing data review process.

PowerSchool indicated that updates will be provided to state attorneys general as the review progresses, suggesting the number of affected Maine residents may increase beyond the currently reported 33,000.

Challenges in Data Review

“The process is complex, as reviewing data for customers who host systems on-premises necessitates collaboration between PowerSchool and those specific customers,” explained the PowerSchool spokesperson.

Ongoing Questions and Concerns

Millions of students have already been confirmed as affected.

Several critical questions surrounding the PowerSchool data breach remain unanswered. These include the identity of the attackers, the validity of claims regarding data deletion, and the potential ransom payment made by the company.

The lack of transparency has compelled affected school districts to collaborate in investigating the breach’s impact and scope.

Data Types Potentially Compromised

PowerSchool has stated that it cannot yet determine the specific types of sensitive data accessed, as this varies depending on individual customer configurations and district policies.

However, TechCrunch has received reports from multiple school districts indicating that “all” of their historical data stored within PowerSchool, including sensitive information related to parental access rights, was accessed.

Impact on Specific School Districts

• Toronto District School Board (TDSB): Confirmed that hackers accessed nearly 40 years of student data, impacting almost 1.5 million students. Stolen data includes gender, grade information, medical data, and accommodation details.
• Calgary Board of Education (CBE): Reports indicate that data of over 500,000 students was taken, though CBE awaits confirmation from PowerSchool.
• West Ada School District (Idaho): Notified that personal information, including “life-safety health and grade information” for current and former students, was accessed.
• Alexandria City Public Schools (Virginia): Confirmed that student data, including personal information, medical data, and free meal statuses, was compromised.
• Rochester City School District (New York): Confirmed that 134,000 students were affected, with accessed information including legal alerts and medical diagnoses.

Affected school districts are actively notifying individuals whose data was stolen during the PowerSchool breach.

The incident underscores the critical importance of robust cybersecurity measures within the education sector to protect sensitive student and teacher information.