ARTICLE UPDATE 1/31/25:
PowerSchool failed to take basic precautions to protect students’ data, leading to the largest breach of American children’s personal information to date, according to a cybersecurity audit by CrowdStrike.
The company is most known for its Student Information System (SIS) that helps schools track the data of K-12 students It is also one of the systems that was breached during a December cyberattack. The system can track information such as name, school, birthday, address, Social Security number, health concerns, and disciplinary records.
According to NBC News, a PowerSchool executive admitted during a meeting that a breached system had failed to use multi-factor authentication. The CrowdStrike audit found no evidence that the hackers used malware or found a backdoor into PowerSchool’s systems. The hackers instead obtained a single employee’s password, granting them access to a “Maintenance Access” function that let them download millions of children’s personal information.
The report also found PowerSchool was not aware it had been the victim of a cyberattack until days later when the hacker contacted the company to ask for payment.
“We recognize the significance of this incident and are deeply regretful that it occurred,” Beth Keebler, a PowerSchool spokesperson, said in an emailed statement. “PowerSchool has significantly invested in its cybersecurity program, culture, and talent over the years — this has been a diligent and continuous area of focus and one the Company plans to continue to invest in.”
In a private virtual briefing with customers, Mishka McCowan, PowerSchool’s chief information officer, said the company paid the hacker and received a video of them appearing to delete the stolen data, a person who was on the call told NBC News. As of Thursday, the breached data did not appear to be publicly available online.
ORIGINAL ARTICLE 1/23/25:
At least 23 lawsuits seeking class-action status have been filed against California-based education tech giant PowerSchool following a massive data breach.
PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that offers tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance. The company announced Jan. 7 that it suffered a cyberattack sometime between Dec. 10 and Dec. 28 after a threat actor used stolen credentials to access its PowerSource customer support portal.
Using this access, the threat actor then used a customer support maintenance access tool to download student and teacher data from districts’ PowerSIS databases, Bleeping Computer reports. Information stored in these databases can include students names, contact details, date of birth, medical alert information, and Social Security numbers.
RELATED ARTICLE: 7 Liverpool High School Students Gain Unauthorized Access to Student Information System
PowerSchool says school districts decide what information is stored in the SIS database based on district or state requirements, and it anticipates less than a quarter of impacted students had their Social Security numbers exposed in the breach.
“Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base,” PowerSchool said.
The breach appears to have resulted in the theft of information from school districts across the U.S., Canada, and Bermuda, a self-governing British territory. The company said its software stores information of over 62 million K-12 students and teachers across more than 18,000 customers, including over 90 of the top 100 districts by student enrollment in the U.S.
What Districts Were Impacted by the PowerSchool Data Breach?
According to Bleeping Computer, the largest districts allegedly impacted by the breach are:
- Toronto District School Board
- Peel District School Board
- Dallas Independent School District
- Calgary Board of Education
- Memphis-Selby County Schools
- San Diego Unified
- Charlotte-Mecklenburg Schools
- Wake County Public Schools
The full extent of the breach isn’t yet clear, according to GovInfoSecurity. An investigation, spearheaded by cybersecurity company CrowdStrike, is still active. PowerSchool initially said a report would be published Jan. 17.
RELATED ARTICLE: New Reports Highlight Top Risks for K-12 Schools, Colleges
PowerSchool says it will offer two years of free identity protection and credit monitoring services for all impacted students and educators. The company also set up a dedicated public website that those impacted can monitor for further updates.
PowerSchool Lawsuits Claim Negligence
Each of the lawsuits, filed in U.S. District Court for the Eastern District of California, seeks to represent a nationwide class of affected current and former students and faculty — dating as far back as 2009 — whose personally identifiable information or personal health information were exposed in the breach.
The suits claim PowerSchool’s lack of robust authentication and access control security measures allowed cybercriminals to steal information.
“PowerSchool’s failure not only allowed this breach, but could very well allow continued data breaches of those students, teachers and administrators,” said attorney Kiley Grombacher of Bradley/Grombacher. “PowerSchool behaved in a reckless manner as they were made aware of the potential issues with their system but ignored it time and again.”