PowerSchool Admits Hackers Stole Students’ Sensitive Data in Data Breach

Data Breach Exposes Sensitive Student Information

Edtech giant PowerSchool recently confirmed a data breach in which hackers accessed highly sensitive customer information, including student Social Security numbers, grades, and medical information. This breach involved PowerSchool's internal customer support portal, compromised through a stolen credential. Those affected include users of PowerSchool's educational management software, which manages student records, grades, attendance, and enrollment.

Stolen Data Details and Affected Parties

In a statement, PowerSchool acknowledged that while the hackers primarily accessed contact details, they also stole Social Security numbers, some medical and grade information, and other unspecified personally identifiable information. Students, teachers, and even some parents and guardians were potentially affected, with compromised data varying by customer.

PowerSchool, based in California, is the foremost provider of cloud-based K-12 education software in the United States, with over 16,000 customers supporting more than 50 million students across North America. Despite confirming the breach, representative Beth Keebler declined to specify the number of individuals affected.

Security Measures and Firm Response

PowerSchool clarified that the security breach did not involve ransomware. They collaborated with CyberSteward, an organization specializing in cyber-extortion responses, to negotiate with those responsible. This aligns with previous reports suggesting the breach's goal was strictly extortion, with PowerSchool reportedly paying to assure the non-publication of the stolen data.

Upon inquiry, PowerSchool did not disclose evidence confirming the deletion of the stolen information. CyberSteward has remained silent on these questions to date. Keebler assured, "PowerSchool has taken all appropriate steps to prevent the data involved from further unauthorized misuse and does not anticipate the data being shared or made public." She expressed confidence that the data has been deleted without additional replication or dissemination.

Implications and Company Ownership

PowerSchool, acquired by Bain Capital for $5.6 billion in 2024, did not receive comments from Bain Capital regarding the breach. The incident underscores the ongoing vulnerabilities educational tech companies face and their potential impact on students and educators.

If you possess further information about the PowerSchool data breach, secure communications with Carly Page can be made via Signal or email.