A hacker who breached education tech giant PowerSchool claims to have stolen the personal data of 62.4 million students and 9.5 million teachers. PowerSchool, a cloud-based software solutions provider for K-12 schools and districts, offers tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance. On January 7th, PowerSchool disclosed that a threat actor used stolen credentials to access the company’s PowerSource customer support portal.
From there, the hacker used a customer support maintenance tool to download student and teacher data from districts’ PowerSIS databases. Sources indicate that the breach affected 62,488,628 students and 9,506,624 teachers across 6,505 school districts in the U.S., Canada, and other countries. Canadian school boards tend to have larger numbers than U.S. districts due to the regional governance structure in Canada.
PowerSchool’s response and next steps
PowerSchool has stressed that the type of data exposed varies per district, as school districts decide what information is stored in the SIS database based on their district or state policy requirements. Less than a quarter of impacted students reportedly had their Social Security Number exposed in the breach.
In response to questions about the breach, PowerSchool shared the following statement:
“We understand we have a very large customer base on PowerSchool SIS, but we feel it important to highlight that we expect the majority of involved individuals – in fact, more than three-quarters – did not have social security numbers exfiltrated. We are receiving many questions about the type of data involved, and it is difficult to make broad statements because the answer varies by individual customer and depends on customer choice and state or district policies and requirements.”
PowerSchool is offering two years of complimentary identity protection services and two years of complimentary credit monitoring services for all applicable students and educators whose information was involved, regardless of whether an individual’s Social Security Number was exfiltrated. The company had promised to release an incident report based on CrowdStrike’s investigations on January 17th, but the report has not yet been published.
PowerSchool stated that CrowdStrike is still finalizing the forensic report, which will be made available to customers once completed. In the interim, PowerSchool has posted an update to its customer-only FAQ, and customers can receive a confidential CrowdStrike fact sheet detailing what is known so far.
