PowerSchool Data Breach Exposes Student and Teacher Information

Education software giant PowerSchool has confirmed a cybersecurity breach that exposed the personal information of students and teachers across multiple school districts. The incident, discovered on December 28, 2024, involved unauthorized access to the company’s PowerSource customer support platform, which is used to manage student information systems (SIS).

PowerSchool, a leading provider of cloud-based software for K-12 schools, serves over 60 million students and 18,000 customers globally. The breach occurred when a threat actor used compromised credentials to access PowerSource and exported data from the ‘Students’ and ‘Teachers’ database tables. The stolen information includes names, addresses, and, in some cases, Social Security numbers, medical details, and academic records.

“The unauthorized party was able to use a compromised credential to access one of our community-focused customer support portals called PowerSource,” PowerSchool stated in a notification to customers. The company emphasized that not all customers were affected and that it has taken steps to mitigate the breach, including rotating passwords and implementing stricter security measures.

PowerSchool engaged cybersecurity firm CrowdStrike to investigate the incident and confirmed that it paid a ransom to prevent the stolen data from being released. “With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist,” the company said in an FAQ shared with customers.

Impacted school districts are being notified, and PowerSchool is offering credit monitoring services to affected adults and identity protection for minors. The company has also provided tools for districts to determine if their data was compromised, including checking audit logs for a maintenance user linked to the breach.

The breach has raised concerns about the security of sensitive student data, particularly in districts that use PowerSchool’s Naviance platform for college and career planning. Cybersecurity experts warn that such incidents highlight the need for stronger protections in educational technology systems.

PowerSchool has assured customers that its operations remain unaffected and that it is committed to transparency. A final report from CrowdStrike is expected by January 17, 2025, and will be shared with impacted districts.