PowerSchool Data Breach: What They Aren't Telling You

PowerSchool Data Breach: A Deep Dive into the 2025 Incident

Just months into 2025, the recent cyberattack targeting U.S. edtech leader PowerSchool is emerging as a significant data breach within the education sector.

Initial Disclosure and Scope

PowerSchool, a provider of K-12 software solutions utilized by over 18,000 schools and impacting approximately 60 million students in North America, initially revealed the data compromise in early January 2025.

The company, acquired by Bain Capital for $5.6 billion, reported that an unauthorized actor gained access through a compromised user credential. This access occurred via the customer support portal in December 2024.

System Access and Data Potentially Affected

Following initial access, the hacker was able to penetrate PowerSchool SIS, the system schools employ for managing crucial student data. This includes student records, academic grades, attendance information, and enrollment details.

PowerSchool acknowledged to TechCrunch that the compromised PowerSource portal lacked multi-factor authentication at the time of the security incident.

Unanswered Questions and Limited Communication

Despite some transparency, several critical questions surrounding the breach remain unresolved months after its discovery.

TechCrunch submitted a detailed list of inquiries to PowerSchool concerning the incident and its potential impact on millions of students.

However, PowerSchool spokesperson Beth Keebler declined to provide further responses, directing all updates to the company’s dedicated incident webpage. The company announced on January 29th that notifications to affected individuals and relevant state regulators had commenced.

Customer Collaboration and Investigation

Numerous PowerSchool customers are also seeking clarification regarding the breach. This has prompted collaborative efforts among those affected to independently investigate the attack.

Postmortem Report and Timeline

In early March, PowerSchool released a postmortem analysis of the data breach, prepared by CrowdStrike. This report was published two months after initially promising its release to customers.

CrowdStrike’s findings confirmed that unauthorized access to PowerSchool’s systems occurred as early as August 2024, predating the publicly disclosed breach date.

Remaining Concerns

Several key questions continue to require answers regarding this significant security event.

• What specific data was accessed by the unauthorized actor?
• What measures are being taken to prevent similar incidents in the future?
• What is the full extent of the compromised systems and data?

The extent of the PowerSchool data breach remains undisclosed

Reports received by TechCrunch from PowerSchool users indicate a potentially “massive” scope to the recent data security incident. Despite acknowledging to TechCrunch that the affected schools and districts have been identified, PowerSchool has consistently refrained from revealing the number of students and personnel impacted.

According to Bleeping Computer, referencing several sources, the perpetrator behind the PowerSchool breach gained access to the personal information of over 62 million students and 9.5 million educators. This information was reported in January.

PowerSchool chose not to validate the accuracy of this figure when questioned by TechCrunch.

However, filings submitted by PowerSchool to state attorneys general, alongside notifications from schools experiencing breaches, strongly suggest that the personal data of millions was compromised during this event.

A filing with the Texas Attorney General revealed that nearly 800,000 residents of the state had their data stolen. An initial report to Maine’s Attorney General in January indicated at least 33,000 residents were affected; this number has since been revised to “to be determined.”

The Toronto District School Board, serving roughly 240,000 students annually and representing Canada’s largest school board, stated that the hacker potentially accessed student data spanning four decades, with information pertaining to nearly 1.5 million students being compromised.

The Menlo Park City School District in California has also confirmed unauthorized access to data concerning all present students and staff – approximately 2,700 students and 400 staff members – as well as records dating back to the 2009-2010 academic year.

The scope of data compromised in the PowerSchool breach remains undisclosed

The precise extent of the data breach impacting PowerSchool remains unclear, with neither the number of individuals affected nor the specific data types accessed having been publicly confirmed.

A January communication from PowerSchool to its customers, reviewed by TechCrunch, indicated that a hacker successfully obtained “sensitive personal information” pertaining to both students and educators.

This compromised data encompassed student records detailing grades, attendance, and demographic information. Furthermore, the company’s dedicated incident webpage acknowledges the potential exposure of Social Security numbers and medical records.

However, PowerSchool qualified this statement, noting that the specific data extracted differed across its customer base, contingent upon individual district requirements.

Multiple schools impacted by the security incident have reported to TechCrunch that their complete historical data sets for students and teachers were compromised.

An individual associated with one affected school district conveyed to TechCrunch that the stolen information included particularly sensitive student details.

This encompassed data regarding parental access permissions, existing restraining orders, and schedules for medication administration for specific students.

In February, a source familiar with the situation informed TechCrunch that PowerSchool had supplied affected schools with a “SIS Self Service” utility.

This tool allows schools to query and summarize PowerSchool data to ascertain what information is held within their systems. However, PowerSchool cautioned that the tool’s findings might not perfectly align with the data actually exfiltrated during the breach.

Currently, it is unknown whether PowerSchool possesses independent technical capabilities, such as system logs, to definitively identify the types of data stolen from each impacted school district.

PowerSchool Declines to Disclose Ransom Payment Following Data Breach

PowerSchool has informed TechCrunch that it implemented “suitable measures” to obstruct the release of the compromised data. The company’s communication to its customer base verified engagement with a cyber-extortion incident response firm to negotiate with the individuals responsible for the security incident.

These actions strongly suggest that PowerSchool conceded to the demands of the attackers who infiltrated its network. Nevertheless, when questioned by TechCrunch, the organization withheld information regarding the amount of the ransom paid, as well as the initial demand made by the hacker.

Details of the Incident Response

The decision to engage a specialized firm indicates the severity of the breach and PowerSchool’s commitment to mitigating potential damage. Negotiating with threat actors is a common, though controversial, tactic in cyber-extortion cases.

While the specifics remain confidential, the company’s actions demonstrate a proactive approach to containing the fallout from the data compromise.

Transparency Concerns

PowerSchool’s refusal to disclose financial details raises questions about transparency. The lack of information could fuel concerns among customers regarding the handling of sensitive data.

Understanding the financial implications of the breach is crucial for assessing the overall impact and the effectiveness of PowerSchool’s security protocols.

• Key Takeaway: PowerSchool likely paid a ransom.
• Disclosure: The amount remains undisclosed.
• Response: A cyber-extortion firm was utilized.

The incident underscores the growing threat of cyberattacks targeting educational institutions and the complex decisions organizations face when responding to such events.

The Basis for PowerSchool’s Claim of Data Deletion Remains Unclear

According to PowerSchool’s Keebler, as reported by TechCrunch, the company currently doesn't foresee the compromised data being distributed or publicly released. They maintain a belief that the data has been removed and no copies were created or shared.

Despite these assurances, PowerSchool has consistently refrained from disclosing the specific evidence supporting their claim of data deletion. Initial reports indicated the receipt of video confirmation, but PowerSchool has neither confirmed nor denied this when questioned by TechCrunch.

It’s important to note that even with proof of deletion, there's no absolute certainty the hacker no longer retains a copy of the data. Recent actions taken against the LockBit ransomware group in the U.K. revealed that they still possessed data from victims who had already fulfilled ransom demands.

This situation highlights the complexities of verifying data deletion following a cyberattack. Simply confirming removal doesn't negate the possibility of prior data retention by malicious actors.

The lack of transparency regarding the evidence received by PowerSchool raises concerns about the complete scope of the data breach and the potential for future misuse.

Concerns Regarding Verification of Data Removal

The incident underscores the challenges in validating data deletion claims made by organizations following a security incident. Reliance on assurances without concrete evidence can be problematic.

Furthermore, the LockBit case serves as a cautionary tale, demonstrating that even after ransom payments and purported data deletion, threat actors may retain copies of sensitive information.

Identity of the perpetrator in the data breach remains undisclosed

A key element currently lacking clarity regarding the PowerSchool cyberattack centers on the identity of the individual or group responsible. While the company has engaged in dialogue with the attacker, they have chosen not to disclose any information regarding their identity, should it be known.

CyberSteward, the Canadian organization specializing in incident response that assisted PowerSchool during negotiations, has not yet provided responses to inquiries from TechCrunch.

Negotiations and Communication

PowerSchool has confirmed that communication channels were established with the hacker following the detection of the security incident. However, details surrounding the nature of these conversations and any potential demands made by the attacker have not been publicly released.

The decision to withhold the hacker’s identity, even if ascertained, raises questions about the ongoing investigation and potential law enforcement involvement. It suggests a strategic approach to managing the situation and minimizing further risk.

Incident Response and External Support

The engagement of CyberSteward highlights the complexity of the PowerSchool breach and the need for specialized expertise in navigating such incidents. Incident response organizations play a crucial role in containing the damage, restoring systems, and coordinating with relevant stakeholders.

TechCrunch’s attempts to obtain further information from CyberSteward regarding their role and findings have, as of yet, been unsuccessful. This lack of transparency further contributes to the uncertainty surrounding the attack.

Analysis of CrowdStrike’s Report Raises Concerns

After PowerSchool published the CrowdStrike forensic report in March, feedback from a school impacted by the data breach indicated the findings were considered “underwhelming” by at least one individual.

The investigation did verify that a compromised credential was the initial point of entry for the attackers. However, the precise method by which this credential was obtained and subsequently exploited remains unclear.

Mark Racine, CEO of RootED Solutions, an educational technology consultancy located in Boston, communicated to TechCrunch that the report, while offering “some detail,” lacks sufficient information to fully “comprehend the sequence of events.”

Uncertainties Regarding Credential Compromise

A key area of concern centers on the origin of the compromised credential. The report does not definitively explain how the attacker gained access to it.

Without understanding the root cause of the credential compromise, it is difficult to implement effective preventative measures against similar attacks in the future.

Need for Further Investigation

Racine emphasized the importance of a more thorough understanding of the incident. He believes a deeper dive into the circumstances surrounding the compromised credential is necessary.

The current report, according to Racine, doesn’t provide enough clarity for schools to confidently assess their own vulnerabilities and strengthen their security posture.

The full extent of the PowerSchool data breach remains unclear

Recent findings from CrowdStrike indicate a potential period of unauthorized network access within PowerSchool spanning from August 16, 2024, to September 17, 2024.

This access was achieved utilizing previously compromised login credentials, the same ones exploited during the December security incident.

Specifically, the hacker targeted PowerSource, PowerSchool’s customer support portal, which was also the entry point in the December breach affecting the school information system.

While CrowdStrike acknowledges this access, a definitive link to the threat actor involved in December’s breach hasn't been established due to limited logging data.

However, these discoveries raise the possibility that malicious actors may have been operating within the PowerSchool network for an extended duration prior to detection.

It is important to note that the duration of the initial compromise is still under investigation.

Seeking Further Information

Individuals with additional details regarding the PowerSchool data breach are encouraged to come forward.

Secure communication can be established with Carly Page via Signal at +44 1536 853968, or through email at carly.page@techcrunch.com, utilizing a personal, non-work device.

• Compromised System: PowerSource customer support portal.
• Access Period: August 16, 2024 – September 17, 2024.
• Credentials Used: Same as December breach.

The investigation continues to determine the full scope and impact of these security events.