Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
It’s only January, but the recent hack of US edtech giant PowerSchool has the potential to be one of the biggest breaches of the year.
PowerSchool, which provides K-12 software to more than 18,000 schools to support nearly 60 million students in the U.S., confirmed the breach in early January. A California-based company, Bain Capital bought it in 2024 for $5.6 billionsaid at the time that hackers used stolen credentials to breach its customer support portal, allowing more access to the company’s school information system, PowerSchool SIS.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS data through PowerSource, one of our community-facing customer portals,” PowerSchool spokeswoman Beth Keebler told TechCrunch.
PowerSchool is open about certain aspects of the breach. Keebler told TechCrunch that the PowerSource portal, for example, did this no PowerSchool supported the Ministry of Foreign Affairs during the event. However, a number of important questions remain unanswered.
This week, TechCrunch sent PowerSchool a list of outstanding questions about the incident, which could affect millions of students across the US. the company’s SIS incident pageIt has not been updated since January 17th.
PowerSchool told customers that it will share an incident report on Jan. 17 from cybersecurity firm CrowdStrike, which the company hired to investigate the breach. But several sources who work at schools affected by the breach told TechCrunch that they have yet to receive it.
The company’s customers have many unanswered questions, forcing those affected by the breach to work together to investigate the hack.
Here are some of the unanswered questions.
It is not known how many schools or students were affected
TechCrunch heard from schools affected by the PowerSchool breach that the impact could be “massive.” However, PowerSchool’s incident page does not mention the extent of the breach, and the company has repeatedly declined to say how many schools and individuals were affected.
Keebler said in a statement sent to TechCrunch last week that PowerSchool has “identified the schools and districts involved in this incident” but would not share the names of those involved.
However, communications from affected school districts provide a general idea of the extent of the breach. The Toronto District School Board (TDSB), Canada’s largest school board, serves approximately 240,000 students each year. said this week hackers could access nearly 40 years of student data. Likewise, California’s Menlo Park City School District confirmed that the hackers accessed all current students and staff — about 2,700 students and 400 staff, respectively — as well as student and staff data dating back to the start of the 2009-10 school year.
The extent of the data theft is also unknown. PowerSchool also did not disclose how much information was obtained in the cyberattack, but in communications shared with its customers seen by TechCrunch earlier this month, the company confirmed that hackers stole “sensitive personal information” about students and teachers, including some students. Social security numbers, degrees, demographic information, and medical information. So is TechCrunch i heard Many schools affected by the incident had “all” of their historical student and teacher data logged.
A person who works at the affected school district told TechCrunch that the stolen data included highly sensitive student information, including parents’ access rights to their children, including restraining orders and information about when certain students should take their medication.
PowerSchool did not disclose how much it paid the hackers responsible for the breach
PowerSchool told TechCrunch that the organization has taken “appropriate steps” to prevent the publication of stolen data. In a communication shared with customers, the company confirmed that it is working with a cyber extortion response company to negotiate with the threat actors responsible for the breach.
All of this confirms that PowerSchool is paying ransom to attackers who breach its systems. But when asked by TechCrunch, the company declined to say how much it paid or how much the hackers demanded.
We do not know what evidence PowerSchool has obtained that the stolen data was deleted
In a statement shared with TechCrunch earlier this month, PowerSchool’s Keebler said the organization “does not expect the information to be shared or made public” and “believes the information has been removed without further duplication or dissemination.”
However, the company has repeatedly refused to say what evidence it has that the stolen data was deleted. Early reports said the company received video evidence, but PowerSchool would not confirm or deny when asked by TechCrunch.
However, proof of deletion in no way guarantees that hackers don’t still have the data; The UK’s recent takedown of the LockBit ransomware group revealed the evidence. the gang still had information on victims who had paid the ransom.
We still do not know who is behind the attack
One of the biggest unknowns about the PowerSchool cyberattack is who was responsible. The company contacted the hackers but refused to reveal their identity. CyberSteward, the Canadian incident response organization PowerSchool hired to negotiate, did not respond to TechCrunch’s questions.
Want to learn more about the PowerSchool data breach? We would love to hear from you. On a non-work device, you can securely contact Carly Page by calling +44 1536 853968 or by email. carly.page@techcrunch.com.
