PowerSchool Data Breach: 16,000 UK Students Affected

PowerSchool Data Breach Impacts 16,000 UK Students

PowerSchool, a leading U.S. educational technology company, has verified a data breach affecting approximately 16,000 students located in the United Kingdom. The incident involved the theft of personal and sensitive data, occurring in December 2024.

Breach Notification and Scope

Notifications regarding the breach have recently been initiated by PowerSchool for individuals residing outside of the United States and Canada. The initial confirmation of the breach came in January, revealing that unauthorized access was gained to the personal data of millions of students and educators.

This access was achieved through compromised credentials used to infiltrate the company’s customer support portal. While the total number of internationally affected students remains unconfirmed, PowerSchool has stated that four schools within the U.K. were specifically impacted.

Data Compromised

According to a letter sent to those affected, and reviewed by TechCrunch, the compromised data includes student contact details, dates of birth, and limited medical information, alongside other associated data. The specific information obtained varied depending on the individual and their associated school.

Beth Keebler, a PowerSchool spokesperson, indicated to TechCrunch that the extent of data exfiltration differed across their customer base. The company has, however, refrained from disclosing the names of the U.K. schools involved in the incident.

Limited Support for International Victims

PowerSchool’s incident page, which was temporarily unavailable, previously indicated that credit monitoring services would not be offered to breach victims outside of the U.S. and Canada.

ICO Investigation and Data Controller Status

The U.K.’s Information Commissioner’s Office (ICO) has stated that it had not received a data breach report from PowerSchool, as confirmed by spokesperson Lucy Milburn.

PowerSchool has acknowledged not filing a report with the ICO, asserting that it does not function as a data controller under U.K. data protection regulations. A data controller is defined as an organization responsible for determining the purposes and methods of personal data processing.

TechCrunch has contacted the ICO for further clarification regarding PowerSchool’s claim.

Overall Impact and Transparency Concerns

Despite identifying the schools and districts whose data was compromised, PowerSchool has yet to release a definitive count of all individuals affected by the December breach. Reports suggest that over 62 million students and 9.5 million teachers had their personal and sensitive data exposed.

While PowerSchool has consistently declined to validate these figures, its website states that its technology serves more than 60 million students.

Contact Information

Individuals with additional information regarding the PowerSchool data breach are encouraged to contact Carly Page securely via Signal at +44 1536 853968 or by email at carly.page@techcrunch.com, using a non-work device.