Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
U.S. school districts affected by the latest cyberattack on edtech giant PowerSchool told TechCrunch that hackers gained “complete” access to historical student and teacher data stored in their student information systems.
PowerSchool, the school records software used to support more than 50 million students in the US, suffered a hack in December. took over the company’s customer support portal with stolen credentials, allowing access to large amounts of personal data belonging to students and teachers in K-12 schools. Attribution of the attack to a specific hacker or group has not yet been announced.
PowerSchool did not say how many school customers were affected. However, two sources at the affected school districts, who spoke on condition of anonymity, told TechCrunch that the hackers accessed personal information of both current and former students and teachers.
“In our case, I have confirmed that they have access to all historical student and teacher data,” one person from the affected school district told TechCrunch. The person added that while PowerSchool said the hackers had access to its data since late December, the district’s records show the attackers gained access earlier.
Another person who works at a school district with about 9,000 students told TechCrunch that the attackers had access to “all teacher and student demographics, both active and historical, while we’ve had PowerSchool.”
“We saw this entry in our logs and (PowerSchool) disclosed it in customer calls,” the second person said. They added that PowerSchool did not provide the affected system with basic protections such as multi-factor authentication.
When contacted by TechCrunch, PowerSchool spokeswoman Beth Keebler did not dispute the customers’ accounts but declined to discuss security controls, citing company policy. When asked if PowerSchool uses multi-factor security in its business, Keebler said the company “uses MFA,” but did not elaborate.
Several school districts have publicly posted information about how the PowerSchool breach affected their students and staff. Menlo Park City Schools, another district affected by the PowerSchool breach, also confirmed that its historical data was accessed during the data breach. In a notice on their websiteThe California school district said the hackers accessed information on “all current students and staff,” as well as student and staff information dating back to the beginning of the 2009-2010 school year.
PowerSchool spokesperson Keebler declined to comment on the scope of the data breach, but told TechCrunch that PowerSchool has “identified the schools and districts where the data was accessed.” The company declined to publicly name those schools or districts.
Keebler said PowerSchool is still working to identify the specific individuals who may have accessed its data.
said Marc Racine, CEO of Boston-based educational technology consulting firm RootED Solutions. in a blog post this week’s PowerSchool breach also affected school districts that are former customers of PowerSchool, suggesting the scope of the breach may extend beyond the organization’s 18,000 existing education customers.
Racine added that some school districts are reporting that the number of affected students is four to ten times the number of students actively enrolled in their district.
According to the PowerSchool FAQ shared with customers last week TechCrunch sawinformation stolen in the breach included individuals’ names and addresses, Social Security numbers, certain medical and classroom information, and other non-identifying information about students and faculty.
Rancho Santa Fe School District is a California school district affected by the hack and one of PowerSchool’s first customers submits its own data breach notification along with state regulators, said the attackers also accessed teachers’ credentials to log into PowerSchool.
When asked by TechCrunch, Keebler said, “The type of data stored on the Student Information System (SIS) platform and retention policies for historical data vary based on individual customer and state requirements.”
“While the review of the data is ongoing, we expect that most of the affected customers did not have their Social Security numbers or medical information removed,” Keebler said in a statement to TechCrunch on Tuesday.
PowerSchool told TechCrunch last week that it took “appropriate steps” to prevent the publication of the stolen data and “believes that the data has been removed without any further duplication or dissemination.” The company did not elaborate on the steps it took and declined to say what evidence it has that the stolen data was deleted.
Want to learn more about the PowerSchool data breach? We would love to hear from you. On a non-work device, you can securely contact Carly Page by calling +44 1536 853968 or by email. carly.page@techcrunch.com.
