A recent cyberattack on edtech giant PowerSchool has exposed vast amounts of personal data belonging to students and teachers in K-12 schools across the United States. The breach, facilitated by stolen credentials, allowed hackers to access extensive historical data stored in PowerSchool’s student information systems. Sources from affected school districts confirmed that the attackers accessed demographic data for all current and former students and teachers, dating back to when the districts first started using PowerSchool.
One source noted discrepancies in PowerSchool’s timeline, suggesting the attackers likely had access earlier than the company’s stated date in December. PowerSchool spokesperson Beth Keebler confirmed the company uses multi-factor authentication but did not provide further details on security controls. Several school districts have publicly shared the impact of the breach on their communities, with some reporting higher numbers of affected individuals than are currently enrolled.
According to a PowerSchool FAQ, the stolen data includes names, addresses, Social Security numbers, medical and grade information, and other personally identifiable information. The company claims to have taken steps to prevent the stolen data from being published, asserting it has been deleted without further replication or dissemination. In North Carolina, the Pitt County School System confirmed the hacker accessed social security numbers of 60 active staff members and exposed phone numbers, email addresses, addresses, and user IDs of staff with PowerSchool access.
PowerSchool breach exposes sensitive data
Student data compromised included medical, discipline, custody-related alerts, demographic information, user IDs, and contact details. However, no student passwords, grades, or social security numbers were accessed.
Other North Carolina school systems, including Carteret County, Onslow County, Martin County, and Lenoir County, have also reported impacts from the breach. The North Carolina Department of Education stated that fewer than 1,000 students’ social security numbers were compromised, while more than 1,000 teachers’ social security numbers were exposed. In South Carolina, York School District One and Fort Mill School District confirmed some social security numbers within their schools were breached, along with directory information and specific medical details.
Parents expressed concerns over the unknown extent of compromised data, as enrollment requires providing sensitive documents like immunization records, birth certificates, and proof of residency. The South Carolina Department of Education announced plans to pressure PowerSchool to provide credit and identity monitoring services to those affected. School districts nationwide are assessing their programs for possible improvements and discussing potential changes to safeguard personal information.
As the investigation continues, state officials and school systems are actively monitoring the situation and will provide additional updates as they become available. The main concern remains identifying and notifying impacted individuals to help mitigate the effects of the breach.
