Education technology (EdTech) software provider PowerSchool suffered a significant data breach that exposed the personal information of students, teachers, and parents/guardians, forcing the company to pay a ransom.
Acquired by Bain Capital for $5.6 billion in 2024, PowerSchool serves over 75% of North American students, with over 50 million learners from the United States alone. Over 16,000 customers depend on the firm’s software products.
The Folsom, California-based EdTech firm said an unauthorized entity breached its systems on December 28, 2024, via PowerSource, a “community-focused customer support portal for all PowerSchool products.”
The attacker then pivoted to the School Information System, PowerSchool SIS, which manages schools’ data, including student records, enrolment, grades, and attendance.
PowerSchool EdTech data breach leaks students’ sensitive personal information
PowerSchool confirmed that the attacker gained access to the stored information, which likely included names, addresses, grades, medical information, Social Security Numbers, and other unspecified personal information belonging to students and teachers, thus making the data breach significant.
Additionally, the names, phone numbers, and email addresses of parents and guardians were also potentially accessed, exposing them to potential phishing attacks.
However, the actual number of victims remains unreported, and the EdTech firm is still working out the details of the data breach and will notify impacted individuals in the coming weeks.
PowerSchool says the attacker leveraged a compromised credential which has since been deactivated, and access to the portal restricted.
PowerSchool also performed a full password reset and implemented access control measures for all support accounts to prevent further compromise. The EdTech firm has also reported the data breach to the law enforcement authorities.
Additionally, the cloud-based learning solutions provider is offering the victims free identity theft and credit monitoring services to protect them from the aftermath of the data breach.
Meanwhile, PowerSchool confirmed no evidence of further threat actor activity had been detected. The data breach also did not disrupt operations, and no malware was deployed, thus ruling out a ransomware attack.
“The primary lesson learned of [sic] this incident is for all software companies (large and small) to invest in maturing their privilege[d] user access management (PAM) capabilities to increase cyber resilience against threat actors attempting to gain privilege access using compromised user/consumer credentials,” said Jim Routh, Chief Trust Officer at Saviynt. “A secondary lesson learned from this incident is the need for cloud service providers to reduce the use of passwords that can be compromised.”
PowerSchool pays ransom after a cyber attack
The software solutions provider says the incident was contained, and the attacker had not publicly released the stolen data or shared it with other threat actors. The EdTech firm also does not anticipate threat actors releasing the stolen records.
“Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse,” PowerSchool told school districts in an email. “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.”
PowerSchool did not explain why it was confident that the attacker would not disseminate the stolen records. However, sources say the EdTech firm was forced to pay a ransom to prevent the attackers from leaking the stolen information.
Nonetheless, PowerSchool is no stranger to data privacy controversy. In November 2024, the EdTech firm was accused of selling 345 terabytes of students’ data from 440 school districts for commercial gain.
The lawsuit claims that PowerSchool collects sensitive information “under the guise of educational support,” when in reality, it is for its financial benefit.
