PowerSchool hack could affect millions of K-12 students

By Judy Sanhz Published January 8, 2025

Education software giant PowerSchool suffered from a hack that might have put the sensitive data of K-12 students and teachers at risk. It’s unclear how many people were affected, but the PowerSchool Student Information System (SIS) platform contains the data of over 60 million students and 18,000 customers.

Some of the leaked data could be limited to names and addresses but some school districts may have been hit harder, with data like Social Security numbers (SSNs), personally identifiable information (PII), grades, and medical information being stolen, as reported by Bleeping Computer.

PowerSchool comments that it only became aware of the situation last month. It sent out a message to affected customers, saying, “As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource.”

The threat actor gained access using compromised credentials and then stole the data using an “export data manager.” The hackers used a maintenance access tool used by PowerSchool engineers for customer support and troubleshooting.

Once in, the hacker put all the data in a CSV file to steal it. However, not all data was taken since PowerSchool also told Bleeping Computer that data such as customer tickets, customer credentials, and forum data were not exposed. Also, the company says that not all PowerSchool SIS customer data is compromised, and only a subset will be notified that their data was leaked — but it’s unclear how many could potentially be affected in this cybersecurity incident.

The company is taking the situation seriously, changing all passwords and applying stronger guidelines. It also contacted cybersecurity experts, including CrowdStrike, to handle the situation. PowerSchool also worked with CyberSteward, a professional advisor with vast experience dealing with threat actors.

Although this reportedly was not a ransomware attack, PowerSchool ended up paying a ransom to prevent the data from being leaked. The threat actors gave PowerSchool logical assurances that the stolen data was erased. PowerSchool saw the data being erased on video, but there’s always a chance that it wasn’t fully erased — let’s hope that it was.

Despite the incident, PowerSchool is up and running and offers credit monitoring services to affected adults. If you want to make sure whether your school district was affected, check out the guide in this Bleeping Computer coverage.