Education technology giant PowerSchool has confirmed a data breach that may have exposed information on millions of school students, putting them at risk of identity theft.
PowerSchool has over 18,000 customers, covering 75% of K-12 students across North America and 60 million in the US, reports TechCrunch. It is a public company, acquired by Bain Capital in 2024 for $5.6 billion.
In the Memphis-Shelby School District in Tennessee, a PowerSchool account is required to enroll, according to Fox13 Memphis. “We don’t have a choice,” says one parent. “If that information can be revealed, that’s serious.”
The threat actor accessed PowerSchool’s Student Information System (SIS) in December with stolen credentials. They then forced PowerSchool to pay a ransom for the data, in exchange for a video of its deletion. “There is no guarantee that this was fully effective,” according to the New Jersey Cybersecurity and Communications Integration Cell. “As a precaution, PowerSchool is monitoring the dark web for any potential leaks.”
PowerSchool has decided not to disclose the full list of schools and the number of students affected. Instead, she notified districts individually by email. Its CEO Hardeep Gulati also appears to have organized a webinar with the affected schools.
“We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available. ,” PowerSchool said in a statement.
Information technology school administrators are trying to confirm the exposed data in their district, prompting someone to post instructions on Reddit on how to do so. At least one admin commented on the thread that all current AND historical data was involved in the breach, including from students who may have graduated years ago; TechCrunch reports the same.
According to PowerSchool, “data affected may vary in volume and sensitivity by school district.” Some schools only use the software for “grades and parent contact information,” according to one teacher on Reddit. Others have more extensive data collection. PowerSchool confirmed that the hack involved highly sensitive data, though it says “we expect most of the customers involved did not have sensitive information, including Social Security numbers or medical information.”
Below is an example of data collected from the Rancho Santa Fe district in California, according to its public disclosure.
Public disclosure of the PowerSchool data breach (Credit: Rancho Santa Fe District)
Schools affected by the PowerSchool data breach (so far)
Districts in many states and provinces are coming forward to notify their communities. Here are a few we know so far, and counting. Investigations in each district appear to be ongoing, in partnership with PowerSchool.
PCMag reached out to PowerSchool for a full list, which it declined to provide. We also reached out to the US Cybersecurity and Infrastructure Security Agency (CISA), and a spokesperson said: “We will refer you to PowerSchool for answers to your questions.”
If your district is affected, let us know in the comments.
-
Alabama: Alabaster City Schools, Hoover City Schools (source)
-
California: Rancho Santa Fe School District, Ramona Unified School District (source), San Diego Unified School District (source)
-
Chicago, IL: Burbank School District 11, Oswego Community Unit School District 308, Bremen School High School District 228, Community School District 146, Mundelein School High District 120, Lake Forest Districts 67 and 115, Beach Park District 3, Harvedge1 New School District Tech School Corporation ( Gary, Indiana), Lincolnshire–Prairie View School District 103, North Chicago School District 187, Prospect Heights School District 23, Zion Elementary District 6 (source)
-
CONNECTICUT: Windsor Locks, Coventry, Bolton, Enfield, East Hartford, Danbury, Milford, Wallingford and Regional School District 16 (source)
-
Georgia: Lanier County Schools (source)
-
Kansas: Russell County $407 (source)
-
Long Island, NY: Jericho, Hicksville, Glen Cove, West Hempstead, Lynbrook, Middle Country, Massapequa, Smithtown Central, Nassau BOCES and Uniondale ( source )
-
Manitoba, Canada: 80% of districts (source)
-
Maryland: Frederick County Public Schools (source)
-
Massachusetts: Lenox Public Schools (source)
-
North Carolina: All public schools (source)
-
Nebraska: Sargent, Burwell, Sandhills, Sumner-Eddyville-Miller and Stapleton (source)
-
Oklahoma: Mustang School District, Enid Public Schools (source)
-
Oregon: Baker School District (source)
-
Pennsylvania: Carlisle Area School District, Middletown Area School District and Williamsport Area School District (source)
-
South Carolina: Laurens County School District 56 (source)
-
Tennessee: Memphis-Shelby County Schools (source)
-
TEXAS: Dallas ISD (source)
Like what you’re reading?
Register for Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. By clicking the button, you confirm that you are over 16 years of age and agree to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.
About Emily Forlin
Senior reporter
