Millions of Students and Teachers' Records Stolen in Major Cyberattack

Millions of Students and Teachers Affected

Cybercriminals have targeted education technology giant PowerSchool, stealing records of millions of students and teachers. The exact number of affected individuals remains unknown, but the scale of the breach is alarming. PowerSchool serves 18,000 customers worldwide, including schools in the U.S. and Canada, managing grading, attendance, and personal information for over 60 million K-12 students and teachers.

The breach was discovered on December 28th, 2024, after customer data from the PowerSchool SIS platform was stolen through the PowerSource support portal. Hackers accessed the portal using stolen credentials and used an "export data manager" tool to steal information. PowerSchool has hired a third-party cybersecurity firm to investigate the breach and determine who was affected.

The stolen data primarily includes contact details like names and addresses. However, for some districts, the data may also include sensitive information such as Social Security numbers, personally identifiable information, medical records, and grades. PowerSchool emphasized that not all SIS customers were affected and expects only a subset of customers will need to notify those affected.

The company has taken steps to mitigate the impact of the breach, including deactivating the compromised credential, restricting access to the affected portal, conducting a full password reset, and tightening password and access control for all PowerSource customer support portal accounts. Affected adults will be offered free credit monitoring, while minors will receive subscriptions to an unspecified identity protection service.

1. Monitor your accounts regularly.

2. Freeze your credit.

3. Use identity theft protection services.

4. Enable two-factor authentication (2FA).

5. Be aware of phishing links and use strong antivirus software.

You can blame hackers for this breach, but PowerSchool shares the responsibility for failing to adequately protect sensitive data. The company may also be in violation of data privacy agreements it signed with school districts, as well as federal and state laws designed to safeguard student privacy. What’s more concerning is that PowerSchool took nearly two weeks to notify its customers about the breach. Schools are now left scrambling to assess the full extent of the intrusion. This delay is not just irresponsible; it puts students, parents, and teachers at heightened risk of cyberattacks and identity theft.