PowerSchool Data Breach: Student Data Including SSNs Stolen

PowerSchool Data Breach Exposes Sensitive Student Information

PowerSchool, a leading educational technology company, has alerted its clientele to a recent data breach. Unauthorized access to highly confidential data was obtained by malicious actors, as reported by TechCrunch.

Details of the Security Incident

The compromised information includes sensitive student data such as Social Security numbers, academic grades, and medical records. This breach occurred in December and was officially acknowledged by PowerSchool on Wednesday.

Initial investigations revealed that the attackers gained entry through PowerSchool’s internal customer support portal. This was achieved using a compromised user credential.

Scope of the Data Compromise

While contact information like names and addresses comprised the majority of the stolen data, the breach extended to more sensitive details. Social Security numbers, certain medical details, and student grades were also accessed.

The personal information of parents and guardians was potentially exposed in some school districts, encompassing names, phone numbers, and email addresses. The specific data affected varies depending on the individual customer.

Impact and Response

PowerSchool serves over 18,000 customers, supporting more than 60 million students throughout North America. The company’s spokesperson, Beth Keebler, verified the authenticity of the FAQ document but refrained from disclosing the total number of individuals impacted.

The incident was not a ransomware attack, according to PowerSchool. However, the company engaged CyberSteward, a cyber-extortion response firm, to negotiate with the perpetrators.

Extortion and Data Deletion

This confirms earlier reports indicating that PowerSchool was subjected to an extortion attempt and a financial payment was made to prevent the public release of the stolen data.

When questioned by TechCrunch, PowerSchool declined to confirm whether the stolen data had been definitively deleted. CyberSteward has not yet responded to inquiries from TechCrunch.

PowerSchool maintains that it has taken all necessary measures to prevent further misuse of the compromised data and does not foresee it being shared publicly. The company believes the data has been deleted and not duplicated or distributed.

Recent Acquisition

PowerSchool was recently acquired by Bain Capital in a $5.6 billion transaction in 2024. A spokesperson for Bain Capital, Rachel Colson, declined to comment when contacted by TechCrunch this week.

Contact Information

Individuals with information regarding the PowerSchool data breach are encouraged to contact Carly Page securely via Signal at +44 1536 853968 or by email at carly.page@techcrunch.com, using a personal device.

• Affected Data: Social Security numbers, grades, medical information, contact details.
• Customers Affected: Over 18,000 schools and districts.
• Students Affected: More than 60 million across North America.