PowerSchool has begun notifying impacted individuals about a data breach that compromised personal information from its Student Information System (SIS). The breach, first detected on December 28, 2024, resulted in the unauthorized exfiltration of data, including names, contact details, Social Security numbers (SSNs), medical alerts, and academic records for certain individuals. The total number of affected users remains undisclosed, but reports suggest millions of students and educators across the U.S. and Canada could be impacted.
Incident background
PowerSchool, a leading cloud-based education technology provider serving over 60 million students globally, confirmed that a threat actor gained access to its systems via compromised credentials for its PowerSource customer support portal. The attacker leveraged a maintenance tool within the portal to export student and teacher data from SIS environments, stealing sensitive records.
In an effort to prevent the public release of stolen data, PowerSchool admitted to paying a ransom following negotiations facilitated by CyberSteward, a firm specializing in cyber extortion cases. Despite assurances from the hacker that the data was deleted, experts warn that such guarantees can never be fully trusted.
While PowerSchool has refrained from disclosing exact figures, a hacker claiming responsibility for the attack alleged they obtained records for 62.4 million students and 9.5 million teachers from thousands of school districts across the U.S., Canada, and other regions. Some of the largest districts allegedly impacted include the Toronto District School Board (1.48 million students), Dallas Independent School District (787,000 students), and Wake County Public Schools (461,000 students).
PowerSchool's response
In its latest status update, dated January 27, 2025, PowerSchool announced that it had begun notifying individuals whose data was involved in the breach. The company is also filing regulatory notifications with attorney generals' offices in affected U.S. jurisdictions.
The notification letters, obtained from PowerSchool's customer resources, inform recipients about the breach and offer two years of complimentary identity protection and credit monitoring services through Experian. Impacted adults (teachers and students over 18) are eligible for credit monitoring, while minors receive identity protection services, including Social Security Number monitoring and dark web surveillance.
Affected individuals are advised to enroll in these services before the provided deadline and remain vigilant for signs of identity theft or fraud. PowerSchool also recommends reviewing personal account statements, placing fraud alerts with credit bureaus, and considering security freezes if necessary.
While PowerSchool's response includes direct notifications and mitigation steps, frustration remains among educators and parents regarding the company's lack of transparency. Many are still waiting for an official report from CrowdStrike, the cybersecurity firm leading the forensic investigation. The report, initially promised for January 17, 2025, has yet to be published, leading to speculation about the full scope of the breach.
Additionally, while PowerSchool maintains that not all SIS customers were affected, it has not disclosed the exact number of impacted individuals or school districts. The uncertainty has raised concerns among school administrators, who must determine their own reporting obligations to state education departments.
For those impacted, it is recommended that you enroll in PowerSchool's offered identity protection services through Experian before the deadline, monitor financial and personal accounts for unusual activity, and consider placing fraud alerts or credit freezes on credit files if sensitive data, such as SSNs, was exposed.
This remains an evolving situation, with more details expected as PowerSchool finalizes its forensic review and regulatory filings.
Signal Adds Encrypting Message History Sync for Linked Devices
Leave a Reply