• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. School Security

    PowerSchool data breach endangers the personal information of millions of students

    Jan. 31, 2025
    Student and faculty names, birthdates, contact information—and in some cases, medical data and Social Security Numbers—were compromised in the breach.
    679d1a867ff7b91096991f55 Cropwomenstudyingstreet 232147860581

    The PowerSchool Student Information System (SIS), student information software used by over 16,000 K-12 schools to manage grades, attendance, and other operations, recently disclosed a major cybersecurity incident that compromised vast amounts of personal data belonging to millions of teachers, students, and graduates across the United States and Canada.

    On December 28, 2024, threat actors exfiltrated personal information from PowerSchool SIS environments using PowerSource, the software's customer support portal. NBC, who acquired an exclusive copy of CrowdStrike's internal audit of the situation, reports that the breach was the result of a massive failure of cyber hygiene: the hacker, with the help of a "maintenance access" function, was able to download a wealth of sensitive personal information. This was achieved with a single compromised employee password, highlighting a lack of additional security layers like multi-factor authentication (MFA) for online environments.

    “We recognize the significance of this incident and are deeply regretful that it occurred,” said Beth Keebler, a PowerSchool spokesperson, in an emailed statement. “PowerSchool has significantly invested in its cybersecurity program, culture, and talent over the years—this has been a diligent and continuous area of focus and one the company plans to continue to invest in.”

    Student and faculty names, birthdates, and contact information were exfiltrated, alongside medical alert information and, in some cases, Social Security Numbers. PowerSchool clarifies that a majority of impacted individuals did not have their Social Security and medical alert data stolen in the breach.

    According to PowerSchool's website, the software is used to track 60 million students. Bleeping Computer's coverage of the incident reports that the number of affected students, as claimed by the hacker, is as high as 62 million. The Toronto District School Board, however, alongside numerous other educational bodies, has stated that the breach affected historical data as well, including that of students enrolled decades ago.

    "As soon as PowerSchool learned of the incident, we engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse," said PowerSchool in an official press release. "We are not aware at this time of any identity theft attributable to this incident."

    In the wake of the breach, PowerSchool is offering impacted students and faculty a two-year complimentary identity protection service. Adult students and faculty will also receive two years of complimentary credit monitoring. Those impacted can learn more by visiting PowerSchool's official announcement page.

    About the Author

    Samantha Schober | Associate Editor

    Samantha Schober is associate editor of SecurityInfoWatch.com.

    Email
    Middlebury schools announces Experian partnership in wake of Powerschool cybersecurity attack
    Keeper Security research highlights urgent need for improved cybersecurity in schools