• A Major Breach with Widespread Implications

In December 2024, U.S.-based educational technology provider PowerSchool fell victim to a significant cybersecurity breach. Serving over 18,000 schools and approximately 60 million students, PowerSchool’s systems were infiltrated, compromising sensitive student and staff data. While the breach has made headlines, numerous questions remain unanswered, leaving schools, educators, and parents concerned about its full scope.

• Breach Overview

PowerSchool confirmed that attackers gained unauthorized access to their customer support portal, PowerSource, on December 28, 2024. The breach exploited compromised credentials, and at the time, the PowerSource portal did not have multi-factor authentication (MFA) in place, which might have prevented unauthorized access. The attackers then gained entry to PowerSchool’s Student Information System (SIS), which holds critical data such as student records, grades, attendance, and enrollment information.

Beth Keebler, a spokesperson for PowerSchool, shared that while the primary company systems were protected with MFA, the absence of this security layer on PowerSource created a vulnerability that hackers exploited.

• Unanswered Questions about the Impact

How Many Schools and Students Are Affected?

Despite acknowledging the breach, PowerSchool has refrained from revealing the total number of impacted institutions or individuals. However, reports from affected schools suggest that the breach could be extensive. For instance:

• The Toronto District School Board, Canada’s largest school board, reported that hackers accessed 40 years’ worth of student records.
• California’s Menlo Park City School District confirmed the compromise of data on all current students and staff, as well as historical data dating back to the 2009-2010 school year.
• What Data Was Stolen?

According to a communication shared with customers, hackers accessed highly sensitive personal information, including:

• Names, addresses, and demographic details
• Social Security numbers
• Academic records and grades
• Medical information
• Information about parental access rights, including restraining orders and medication schedules for students

Multiple school districts have reported that all historical student and teacher data stored in the system was accessed, further amplifying concerns about the scale and implications of the breach.

• Power School’s Response to the Attack

In the wake of the incident, PowerSchool hired cybersecurity firm CrowdStrike to investigate and mitigate the breach. The company has also implemented multi-factor authentication across its systems to bolster security.

PowerSchool communicated that it worked with a cyber-extortion incident response company to negotiate with the hackers and prevent the stolen data from being published. While the company stated that it believes the data has been deleted without replication, it has not provided concrete evidence to support this claim, leaving many stakeholders skeptical.

• The Ransom Payment and Its Fallout

Although Power School’s statements confirm that it engaged in negotiations with the hackers, the amount paid to prevent the publication of the data remains undisclosed. This lack of transparency has raised concerns about whether the company’s actions effectively safeguarded the compromised information.