The recent hack of PowerSchool, a widely used student information system in U.S. schools, has exposed the sensitive data of millions of students. Internal reports reveal that the breach occurred due to a failure to implement basic cybersecurity measures. PowerSchool’s system collects extensive data on students, including names, birthdays, addresses, and in some cases, Social Security numbers, health records, and disciplinary actions.
The theft of such data is particularly concerning as children lack the ability to protect their own information, and the consequences of identity theft can be severe. An audit by cybersecurity firm CrowdStrike found that hackers gained access through a single employee’s password that lacked two-factor authentication. This allowed them to download millions of children’s personal information using a “Maintenance Access” function.
Data breach underscores cybersecurity failures
The breach went undetected until the hackers contacted the company in December, demanding a ransom. PowerSchool spokesperson Beth Keebler expressed regret over the incident and highlighted the company’s ongoing investment in cybersecurity.
However, experts criticized the neglect of basic security practices like multifactor authentication. Doug Levin, national director of K12 SIX, an industry nonprofit, emphasized the broader issue of lax cybersecurity standards in educational technology, stating, “For a sector so integral to the American way of life, it is unconscionable that neither K-12 schools — nor their vendors — are held to a cybersecurity standard.”
The exact scope of the breached data is still under investigation, but estimates suggest up to 62 million students could be affected. The hack impacted multiple states, including California, Texas, and New York, with various types of student data being exposed, such as locker combinations and lunch account balances in some cases.
Sarah Powazek, director of the University of California, Berkeley’s public interest cybersecurity program, highlighted the trust schools place in companies like PowerSchool, noting that school districts have no control over the product and cannot feasibly verify the security of every external system they use. As more details emerge, officials and cybersecurity experts continue to assess the full impact of the breach and advocate for stricter cybersecurity measures to protect vulnerable student populations.
