PowerSchool data breach exposes student records in massive cyber-security incident

cyber-security
Written By Emma Stokes

In what will be concerning news for educational institutions that use PowerSchool, the company has announced a data breach involving unauthorized access to personal information stored in its Student Information System (SIS).

PowerSchool confirmed that it became aware of the cybersecurity incident on December 28, 2024, after detecting unauthorized access through its customer support portal, PowerSource. The breach has since been contained, and the company stated that its systems remain operational. However, the incident raises broader concerns about the security measures in place to protect student data across third-party platforms.

In a statement, Beth Keebler, a PowerSchool spokesperson, said: “We recognize the significance of this incident and are deeply regretful that it occurred. PowerSchool has significantly invested in its cybersecurity program, culture, and talent over the years — this has been a diligent and continuous area of focus and one the Company plans to continue to invest in.”

Scope of the breach

PowerSchool reported that the type of information affected varies by individual, but may include names, contact information, dates of birth, limited medical alert details, and Social Insurance Numbers. The breach impacted personal data stored within SIS environments, which are widely used by schools for administrative purposes.

While the company has not provided an exact number of affected individuals, the hacker responsible for the breach has claimed that up to 62 million records were exposed. If accurate, this would mean that tens of millions of American students may have had their data compromised.

PowerSchool stated that affected customers have been notified and that it is offering identity protection and credit monitoring services to impacted individuals.

PowerSchool’s exact reach is not publicly documented in full, but the company holds statewide contracts in Alabama, North Carolina, and South Carolina, with SIS software usage varying by district within those states. Additionally, schools across multiple states have alerted students and parents about the breach, including:

  • West Coast & Mountain States: Alaska, Arizona, California, Colorado, Montana, Nevada, New Mexico, Oregon, Utah, Washington, Wyoming

  • Midwest: Illinois, Indiana, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, Wisconsin

  • Northeast & Mid-Atlantic: Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island

  • South & Southeast: Louisiana, Oklahoma, Tennessee, Texas

Response and mitigation efforts

Following the breach, PowerSchool activated its cybersecurity response protocols and brought in third-party cybersecurity experts to assess the situation. The company stated that, at this time, there is no evidence of identity theft linked to the incident.

To mitigate potential risks, PowerSchool is offering two years of complimentary identity protection through Experian. Additionally, students and educators who have reached the age of majority will have access to two years of credit monitoring through TransUnion.

Security failures identified

As first reported by NBC News, internal assessments of the breach indicate that PowerSchool did not implement fundamental security measures to protect student data. The company engaged cybersecurity firm CrowdStrike to investigate the incident, and an interim report prepared by CrowdStrike and shared with some school officials, obtained by NBC News, allegedly outlined key findings about the nature of the breach.

The report allegedly states that there was no indication that the hacker used malware or exploited a backdoor in PowerSchool’s systems. Instead, access was gained through a single employee’s compromised password. The credentials granted the hacker entry to a “Maintenance Access” function, which enabled the download of millions of students’ personal information.

CrowdStrike’s assessment also allegedly found that PowerSchool was unaware of the scale of the hack until late December—several days after it occurred—when the hacker reached out to the company directly to disclose the breach and demand payment.

CrowdStrike declined to comment on the report, citing standard industry practice.

Recommendations for affected individuals

PowerSchool is advising individuals to remain vigilant against identity theft by reviewing account statements and monitoring for any suspicious activity. The company also emphasized that it will not request personal or account information by phone or email.

PowerSchool stated: “As soon as PowerSchool learned of the incident, we engaged cybersecurity response protocols and mobilized senior leadership and third-party cybersecurity experts to conduct a forensic investigation of the scope of the incident and to monitor for signs of information misuse. We are not aware at this time of any identity theft attributable to this incident.”

Affected schools and individuals can visit PowerSchool’s website for further details on enrolling in identity protection services.

Featured
Transfr launches XR/VR-based career exploration platform for workforce training
Transfr launches XR/VR-based career exploration platform for workforce training
PowerSchool data breach exposes student records in massive cyber-security incident
PowerSchool data breach exposes student records in massive cyber-security incident
January's top edtech news: school safety tech advances, strategic partnerships, and AI developments
January's top edtech news: school safety tech advances, strategic partnerships, and AI developments
How AI and tech can elevate your short film dreams
How AI and tech can elevate your short film dreams
Frédéric Hébert takes on Chief Learning Officer role at Rise Up to drive AI learning
Frédéric Hébert takes on Chief Learning Officer role at Rise Up to drive AI learning
Transact Campus and CBORD expand partnership with USEFULL to enhance sustainable campus dining
Transact Campus and CBORD expand partnership with USEFULL to enhance sustainable campus dining
Tech in the food and beverage industry: 10 examples
Tech in the food and beverage industry: 10 examples
Amira Learning names Amy Scholz as Chief Operating Officer to scale AI-powered literacy solutions
Amira Learning names Amy Scholz as Chief Operating Officer to scale AI-powered literacy solutions
WorldQuant University unveils advanced computer vision credential to expand AI skill development
WorldQuant University unveils advanced computer vision credential to expand AI skill development
Macmillan Learning appoints Greg David as Chief Revenue & Customer Officer to lead revenue & customer strategy
Macmillan Learning appoints Greg David as Chief Revenue & Customer Officer to lead revenue & customer strategy
Here’s how tech could revolutionize your business
Here’s how tech could revolutionize your business
Pearson appoints Naseem Tuffaha as Chief Business Officer to drive growth strategy
Pearson appoints Naseem Tuffaha as Chief Business Officer to drive growth strategy
Starring Minecraft, Ativion, Lumi Network and more: ETIH rolls out the biggest education technology news stories of the week
Starring Minecraft, Ativion, Lumi Network and more: ETIH rolls out the biggest education technology news stories of the week
Genesis expands STEAM and Arts education support in Louisiana with workshops and funding for students
Genesis expands STEAM and Arts education support in Louisiana with workshops and funding for students
AI-Powered touchless computing enhances learning for autistic students at Sybil Elgar School
AI-Powered touchless computing enhances learning for autistic students at Sybil Elgar School
SMART Technologies unveils new interactive displays and teaching tools at ISE 2025
SMART Technologies unveils new interactive displays and teaching tools at ISE 2025
Coventry University and British University in Egypt partner to advance hydrogen technology
Coventry University and British University in Egypt partner to advance hydrogen technology
Growing your business by keeping up
Growing your business by keeping up
The Skills Network goes live with government funded early years course in Greater London area
The Skills Network goes live with government funded early years course in Greater London area
Former AI Minister Viscount Camrose added to senior team at EdTech specialist Lumi Network
Former AI Minister Viscount Camrose added to senior team at EdTech specialist Lumi Network
Emma Stokes
Previous

Transfr launches XR/VR-based career exploration platform for workforce training
Next

January's top edtech news: school safety tech advances, strategic partnerships, and AI developments