The tech vendor is known for housing student information for public schools nationwide.
What happened
Education software company PowerSchool recently announced that they had been the victim of a data breach in an incident initially reported by The Bleeping Computer.
In a notification letter, PowerSchool said it became aware of the breach on December 28th, 2024, when it discovered that customer information had been stolen from its student information system (SIS).
PowerSchool investigated the incident and determined that the threat actor used compromised credentials to access a portal, where they used an “export data manager” tool to steal data. The actor was able to access both student and teacher databases.
Stolen information mainly included names and addresses. For some districts, it also included Social Security numbers, personally identifiable information, medical information, and grades.
Going deeper
PowerSchool is a cloud-based software that supports over 60 million students. The company provides services for enrollment, communication, attendance, staff management, learning systems, analytics, and more.
The company said not all of its customers were impacted by the breach. Currently, it’s unclear how many schools were affected and many districts are making announcements to the counties they serve.
PowerSchool also confirmed that the incident was not a ransomware attack, but the organization opted to pay a ransom to prevent data from being released. In a statement provided to Bleeping Computer, PowerSchool said, “With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.” PowerSchool also stated they received a video showing the data had been deleted, but will continue monitoring the dark web to determine if a leak occurs. PowerSchool did not reveal how much money was paid to the threat actor.
In response to the breach, PowerSchool worked with third-party cybersecurity experts to investigate the incident and is taking steps to prevent future breaches.
The big picture
While companies are generally tight-lipped regarding data breaches, PowerSchool provided helpful information to its customers and reporters. Although the company believes the data has been deleted, it cannot be certain; paying a ransom never guarantees this and is a practice that could potentially lead the software provider to be targeted again.
Schools across the United States have issued statements regarding the breach, while others have remained silent.
For students and parents, a breach like this could come as a surprise, as many families may not know what companies or programs house their data. Ultimately, the responsibility falls on schools and their vendors to ensure sensitive data is secure.
While schools are not held to the standards of HIPAA, another law, The Family Education Rights and Privacy Act (FERPA) sets guidelines for safeguarding student information.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
