Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Edtech giant PowerSchool has warned customers that hackers accessed its customers’ highly sensitive data, including students’ Social Security numbers, grades and medical information, TechCrunch has learned.
In an FAQ obtained by TechCrunch that was sent to affected customers this week, PowerSchool says that “sensitive personal information” was accessed during the December breach. approved by PowerSchool on Wednesday.
Hackers accessed PowerSchool’s internal customer support portal using stolen credentials, the company previously said. The breach affects users of PowerSchool’s school information system, which schools use to manage student records, grades, attendance and enrollment.
PowerSchool said in an FAQ that while the stolen data mostly included contact information such as individuals’ names and addresses, the hackers were also able to access Social Security numbers, some medical and classroom information and other non-identifiable information about students. and teachers.
The California-based education technology firm, the largest provider of cloud-based education software for K-12 education in the US, says that personal information of parents and guardians, including names, phone numbers and email addresses, was also potentially compromised. in some school districts. The company said the types of data stolen will vary by customer.
PowerSchool spokeswoman Beth Keebler confirmed the legitimacy of the information in an FAQ Thursday, but declined to say how many people were affected by the breach. PowerSchool says its software is used by more than 16,000 customers to support more than 50 million students in North America.
In an FAQ, PowerSchool confirmed that the security incident was not ransomware in nature, but noted that it had spoken with CyberSteward, a Canadian organization that offers response services to cyber extortion incidents, with the threat actors responsible for the breach.
This confirms the previous report That PowerSchool was only the target of an extortion attack and paid a financial sum to prevent the hackers from publishing the stolen information.
PowerSchool declined to say what evidence it had that the stolen data was deleted when asked by TechCrunch on Thursday. CyberSteward did not respond to questions from TechCrunch.
“PowerSchool has taken all reasonable steps to prevent further unauthorized misuse of associated data and does not expect the data to be shared or disclosed,” Keebler said. “PowerSchool believes that the data has been deleted without any further duplication or dissemination.”
PowerSchool was acquired by Bain Capital in 2024 in a $5.6 billion deal. Bain Capital spokeswoman Rachel Colson had no comment when reached by TechCrunch this week.
Want to learn more about the PowerSchool data breach? We would love to hear from you. On a non-work device, you can securely contact Carly Page by calling +44 1536 853968 or by email. carly.page@techcrunch.com.
