Scope of the Breach: PowerSchool Confirms Incident
PowerSchool, a leading cloud-based software provider for K-12 education, confirmed a cybersecurity breach that exposed the sensitive data of students and teachers from various school districts. The incident was first discovered on December 28, 2024, when the company detected unauthorized access to its PowerSource customer support platform. PowerSchool’s platforms support over 60 million students and more than 18,000 customers globally, providing solutions for enrollment, attendance, staff management, and other educational operations.
The breach allowed attackers to export database tables containing information from PowerSchool’s Student Information System (SIS), which manages records such as grades, attendance, and enrollment. The stolen data includes personal details like names, addresses, and in some cases, Social Security Numbers (SSNs), medical records, and academic information. Notably, the breach does not appear to have affected all customers, and PowerSchool has stressed that only a subset of school districts were impacted.
Attack Details and Response Measures
According to PowerSchool’s investigation, the attack involved the use of compromised credentials to access the PowerSource portal. Utilizing a maintenance tool known as “export data manager,” the attackers exfiltrated student and teacher data into CSV files. Although PowerSchool confirmed that customer tickets and credentials were not exposed, the severity of the stolen data prompted swift action.
To address the breach, PowerSchool enlisted third-party cybersecurity experts, including CrowdStrike, and implemented enhanced security measures such as password rotation and stricter policies for customer portal access. The company confirmed the incident was not a ransomware attack, but a ransom was paid to ensure the stolen data was deleted and no additional copies existed. Despite receiving video evidence of the data’s deletion, PowerSchool acknowledged that no guarantees exist regarding future leaks.
Impacted individuals are being offered credit monitoring services for adults and identity protection for minors. Additionally, PowerSchool is closely monitoring the dark web to detect potential data leaks. The company has assured customers that its operations remain unaffected and continues to provide services as usual.
School Districts and Mitigation Steps
School districts across the United States and Canada have started notifying students, parents, and staff about the breach. Impacted districts include San Diego Unified School District (California), East Hartford Public Schools (Connecticut), St. Charles Parish Public Schools (Louisiana), and Lower Merion School District (Pennsylvania), among others. Canadian districts such as Elk Island Public Schools (Alberta) and Durham District School Board (Ontario) were also affected.
PowerSchool has provided guidelines for districts to determine if their data was compromised. IT personnel are advised to review logs for activity by a user identified as “200A0” and correlate this with mass-data export records. A detailed guide by a school IT specialist offers additional steps for verifying stolen data fields.
The investigation is ongoing, with a final report expected by January 17, 2025. PowerSchool has committed to sharing these findings with impacted districts and assisting them in communicating with their communities through pre-prepared outreach materials and FAQs. As the educational community grapples with the aftermath, the breach underscores the critical importance of robust cybersecurity measures in safeguarding sensitive data.