PowerSchool Data Breach: Student & Teacher Data Stolen - Details

PowerSchool Cyberattack: Extensive Data Breach Confirmed

Multiple U.S. school districts impacted by the recent cybersecurity incident targeting PowerSchool have reported to TechCrunch that malicious actors gained access to their complete historical records of student and teacher data within their student information systems.

Scope of the Intrusion

PowerSchool, a leading provider of school records software supporting over 60 million students nationwide, experienced a security breach in December. This intrusion compromised their customer support portal through the use of compromised credentials. Consequently, a substantial amount of personal data pertaining to K-12 students and educators was exposed.

The specific perpetrator or group responsible for the attack remains unidentified at this time.

District Reports Detail Data Access

While PowerSchool has not publicly disclosed the number of affected school customers, sources within two impacted districts – requesting anonymity – have revealed that hackers obtained significant volumes of personal information related to both current and former students and teachers.

One district representative confirmed that “all historical student and teacher data” was compromised. They also noted discrepancies between PowerSchool’s reported access timeframe and their own system logs, indicating earlier unauthorized access.

Another source, from a district serving nearly 9,000 students, stated that attackers accessed “demographic data for all teachers and students, both active and historical,” spanning the entire duration of their PowerSchool usage.

Security Concerns Raised

This second source highlighted a critical security oversight, noting that PowerSchool had not implemented fundamental protective measures like multi-factor authentication on the affected system.

PowerSchool spokesperson Beth Keebler acknowledged the customers’ accounts to TechCrunch but refrained from discussing specific security controls, citing company policy. Regarding the implementation of multi-factor security, Keebler affirmed its use but provided no further details.

Public Disclosures and Confirmed Breaches

Several school districts have issued public statements regarding the impact of the PowerSchool breach. The Menlo Park City School District, also affected, confirmed access to its historical data. Their website notice indicated that data on all current students and staff, as well as records dating back to the 2009-2010 school year, were accessed.

PowerSchool spokesperson Keebler stated that the company has “identified the schools and districts whose data was involved” but declined to publicly release their names.

The company is currently working to pinpoint the specific individuals whose data may have been exposed.

Potential Breach Expansion

Mark Racine, CEO of RootED Solutions, an education technology consulting firm, suggested in a recent blog post that the breach may extend beyond PowerSchool’s 18,000 current customers, potentially impacting former clients as well.

Some districts are reporting that the number of affected students is four to ten times greater than their current enrollment figures.

Types of Data Compromised

According to a PowerSchool FAQ shared with customers, the stolen data includes names, addresses, Social Security numbers, some medical and grade information, and other personally identifiable information of students and teachers.

The Rancho Santa Fe School District, one of the first to file a data breach notice, reported that attackers also gained access to teachers’ PowerSchool credentials.

Data Retention and Exfiltration

Keebler explained that the type of data stored and retention policies for historical data vary based on individual customer needs and state regulations.

PowerSchool anticipates that the majority of affected customers did not have Social Security numbers or medical information exfiltrated.

Mitigation Efforts and Data Deletion Claims

PowerSchool claims to have taken “appropriate steps” to prevent the stolen data from being published and believes it has been deleted without further replication or dissemination. However, the company did not provide specifics regarding these steps or evidence supporting the data deletion claim.

If you possess additional information regarding the PowerSchool data breach, TechCrunch encourages you to reach out securely via Signal at +44 1536 853968 or email at carly.page@techcrunch.com, using a non-work device.