A hacker who breached education tech giant PowerSchool claims to have stolen the personal data of 62.4 million students and 9.5 million teachers. PowerSchool, a cloud-based software solutions provider for K-12 schools and districts, offers tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance. On January 7th, PowerSchool disclosed that a threat actor had used stolen credentials to access the company’s PowerSource customer support portal.
This access enabled the hacker to use a customer support maintenance tool to download student and teacher data from districts’ PowerSIS databases. An FAQ stated that sensitive information such as Social Security Numbers, medical information, and grades was stolen for a subset of affected students. The company admitted to paying a ransom to prevent the stolen data from being leaked, and reportedly received a video showing the threat actor claiming to delete the data.
Despite this, PowerSchool has not provided specific numbers as to how many students and teachers were impacted, frustrating parents, teachers, and school administrators. According to multiple sources, the hacker behind the PowerSchool attack claimed to have stolen data from 6,505 school districts in the US, Canada, and other countries. Altogether, the breach impacted 62,488,628 students and 9,506,624 teachers.
While PowerSchool would not comment on specific figures as their investigation is still ongoing, they emphasized that the type of data exposed varies by district. They stated that less than a quarter of impacted students likely had their Social Security Numbers exposed. The company also disclosed that it has both cloud-based and on-premise PowerSchool SIS customers.
For districts self-hosting their databases, the data review is more complicated as it requires the district to share information for analysis.
Hackers breach education software PowerSchool
In response to reporting inquiries, PowerSchool issued the following statement:
“We understand we have a very large customer base on PowerSchool SIS, but we feel it is important to highlight that we expect the majority of involved individuals – in fact more than three-quarters – did not have social security numbers exfiltrated.
We are receiving many questions about what type of data was involved, and it is difficult to make broad statements because the answer varies by individual customer and is dependent on customer choice and on state or district policies and requirements. We care deeply about the students, teachers, and families we serve and are wholeheartedly committed to supporting them. PowerSchool will be offering two years of complimentary identity protection services and two years of complimentary credit monitoring services for all applicable students and educators whose information was involved.
We are doing this regardless of whether an individual’s Social Security Number was exfiltrated (meaning, we are doing this regardless of whether or not we are required to by regulation). We will also be making notifications on our customers’ behalf to state attorneys general offices, educators, students, parents, and other impacted stakeholders. We sincerely hope to relieve the burden of these notifications on our customers and their institutions.”
PowerSchool intends to offer two years of free identity protection and credit monitoring services for all impacted students and educators.
They also plan to send data breach notifications on behalf of customers to State Attorney General’s offices and other stakeholders. However, the timeline for these actions remains unclear. Additionally, PowerSchool had promised to release an incident report based on CrowdStrike’s investigations on January 17th, but that date has passed without the report being published.
When asked for an update, PowerSchool said CrowdStrike is still working to finalize the forensic report, which will be made available to customers once completed. In the meantime, PowerSchool has posted an update to its customer-only FAQ, stating that customers can receive a confidential CrowdStrike fact sheet on what is known so far. They also set up provisions for monitoring updates.