PowerSchool data breach investigation reveals earlier hacks

PowerSchool’s long-awaited breach report reveals hackers infiltrated its systems months before the December 2024 attack.

What happened

PowerSchool has released findings from a long-awaited CrowdStrike investigation into its December 2024 data breach, revealing that hackers had gained access to its systems months earlier, in August and September. The cloud-based K-12 software provider serves over 60 million students and 18,000 customers globally, managing enrollment, communication, attendance, staff records, and financial data for schools.

The December breach targeted PowerSchool’s customer support portal, PowerSource, where a remote maintenance tool allowed hackers to connect to school databases and steal sensitive student and teacher information, including Social Security numbers, medical records, grades, and contact details.

Going deeper

The CrowdStrike report, compiled on February 28, 2025, confirmed that hackers exploited compromised credentials to access PowerSource. Their unauthorized access spanned from December 19 to December 28, allowing them to exfiltrate student and teacher data. However, there is no evidence that malware was installed, nor that the hackers escalated their privileges or moved laterally into broader school systems.

PowerSchool’s breach history appears more extensive than initially reported. The same compromised credentials were used to infiltrate PowerSource in August and September, raising concerns about PowerSchool’s security posture and incident detection capabilities. While it is unclear whether the same hackers were behind both breaches, logs confirm that unauthorized access began as early as August 16, 2024.

Despite the severity of the breach, PowerSchool has not officially disclosed how many schools, students, or teachers were impacted. However, sources indicate that 6,505 school districts across the U.S., Canada, and other countries were affected, compromising the data of over 62 million students and nearly 10 million teachers.

What was said

CrowdStrike noted that, as of January 2, 2025, its dark web monitoring had not found any stolen PowerSchool data being sold or leaked, suggesting that an extortion payment may have been made. The cybersecurity firm also stated that the available system logs did not go back far enough to determine whether the August and September breaches resulted in unauthorized access to PowerSchool’s Student Information System (SIS) data.

While PowerSchool has yet to provide a transparent breakdown of the impact, its delay in disclosure and lack of official confirmation about affected individuals has drawn criticism.

The big picture

PowerSchool’s breach isn’t just a cybersecurity failure—it’s a wake-up call for the entire education sector. Schools are trusting cloud-based platforms with millions of students’ most sensitive data, yet breaches like this show how vulnerable these systems really are. The fact that hackers had access for months before being detected raises serious questions about security oversight, breach response, and accountability. If education technology providers don’t step up their defenses and transparency, students, teachers, and families will continue paying the price.

FAQs

What actions can parents take if their child's data is compromised? 

They should freeze their child's credit report with the three major credit bureaus—Equifax, Experian, and TransUnion to prevent identity theft and unauthorized credit applications. This process is free and restricts access to the child's credit report. Parents should monitor their child's financial accounts for any signs of unusual activity and consider enrolling in an identity theft protection service that can provide alerts for any suspicious use of their child's information.

How can schools effectively communicate with stakeholders when a data breach occurs?

When a data breach occurs, schools must communicate effectively with stakeholders—including parents, students, and staff, to maintain trust and transparency. Schools should promptly issue a clear and concise notification detailing the nature of the breach, what information was compromised, and the potential risks involved. 

Should healthcare providers treating the patients be notified about the breach? 

Yes, healthcare providers treating patients whose data may have been compromised in a breach should be notified.