PowerSchool Data Breach Exposes Millions of Student and Teacher Records

FOLSOM, Calif. — Education technology giant PowerSchool disclosed a massive cybersecurity breach affecting millions of students and teachers worldwide. The breach, discovered on Dec. 28, 2024, involved unauthorized access to the company’s PowerSource support portal, which manages sensitive student and teacher data.

PowerSchool, which serves 18,000 customers globally, including schools in the U.S. and Canada, revealed that hackers used stolen credentials to access its PowerSchool SIS platform. The platform, a cornerstone of the company’s offerings, handles critical data such as grades, attendance, enrollment, and personal information for over 60 million K-12 students and teachers.

According to PowerSchool, the breach was not a ransomware attack or the result of software vulnerabilities but rather a straightforward network intrusion. Hackers exploited an “export data manager” tool to steal database tables containing student and teacher information, exporting the data to a CSV file. The stolen data primarily includes contact details like names and addresses, but for some districts, it may also include sensitive information such as Social Security numbers, medical records, and grades.

“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” PowerSchool stated in a notice to customers. The company has since deactivated the compromised credentials, restricted access to the affected portal, and conducted a full password reset for all PowerSource accounts.

PowerSchool has hired a third-party cybersecurity firm to investigate the breach and determine the extent of the impact. Affected adults will be offered free credit monitoring, while minors will receive subscriptions to an unspecified identity protection service.

The breach has raised concerns about the security of sensitive educational data managed by large technology companies. PowerSchool, which was acquired by private equity firm Bain Capital for $5.6 billion in October 2024, is a major player in the growing “EdTech” industry. Critics argue that the consolidation of such data into the hands of a few corporations increases the risk of large-scale breaches.

School districts across the U.S. have begun notifying parents and staff about the breach’s impact. While some districts confirmed that sensitive data was compromised, others, like Fairfax County Public Schools in Virginia, stated they were unaffected. “There has been zero impact. To be clear, the breach did not impact FCPS in any way,” said Julie Allen, a spokeswoman for Fairfax County Public Schools.

Despite PowerSchool’s assurances, cybersecurity experts warn that stolen data could still resurface on the dark web. The breach underscores the importance of robust cybersecurity measures in an increasingly digitized education system.