PowerSchool Cyberattack Compromises Millions Of Student Records Across U.S. Schools

Hackers breached the systems of PowerSchool, an ed-tech company serving over 50 million students in the U.S.

The attack, as first reported on Wednesday by TechCrunch, compromised historical student and teacher data from multiple school districts. Occurring in December, it exploited stolen credentials to breach the company’s customer support portal, exposing sensitive information.

Affected school districts revealed the breach’s extensive scope. One district confirmed that “all historical student and teacher data” was accessed, while another district with nearly 9,000 students reported that demographic data for current and former staff and students was compromised, as reported by TechCrunch.

Some districts noted inadequate security measures, such as the absence of multi-factor authentication. PowerSchool has yet to disclose the number of impacted schools, said TechCrunch.

Beth Keebler, a company spokesperson, stated that the affected schools and districts have been identified but declined to share their names publicly to TechCrunch. The company is still determining which individuals’ data may have been accessed and did not provide evidence for its claim that the stolen data has been deleted.

TechCrunch reports that according to a PowerSchool FAQ shared with customers last week, the breach exposed names, addresses, Social Security numbers, medical information, grades, and other personal details.

However, in a statement provided to TechCrunch on Tuesday, PowerSchool suggested that most affected customers did not have sensitive data compromised.

Moreover, TechCrunch reports that Menlo Park City School District in California confirmed that data dating back to the 2009-2010 school year had been accessed. Rancho Santa Fe School District, another California district, disclosed that teachers’ login credentials were also compromised.

Mark Racine, CEO of education technology consultancy RootED Solutions, warned that the breach impacts not only PowerSchool’s 18,000 active customers but also former clients, as noted by TechCrunch.

He said that affected student numbers in some districts are up to ten times higher than currently enrolled students, reflecting the long-term data retention involved.

Criticism of PowerSchool’s security practices has mounted, with some districts accusing the company of neglecting basic protections, as reported by TechCrunch.

PowerSchool stated to TechCrunch it has implemented measures to prevent further incidents but has not elaborated on its response or the effectiveness of its actions.

A PowerSchool’s spokesperson told Newsweek: “We have identified the schools and districts whose data was involved in this incident, notified them directly and will be providing updates as we support them through next steps.’’

“PowerSchool is in the process of rolling out a plan in which we will offer to notify individuals whose personal information was involved on our customers’ behalf. We will also be providing credit monitoring or identity protection services if applicable,” the spokesperson added.

As investigations continue, affected districts are taking steps to inform staff and students about the breach while evaluating the long-term implications for their communities.