The U.S. school district that fell victim to the recent cyberattack on education technology giant Power Schools told TechCrunch that the hackers accessed “all” historical student and teacher data stored in its student information systems.
PowerSchool, which uses school records software to support more than 50 million students across the United States, suffered a breach in December when its customer support portal was compromised with stolen credentials, leaving students and We now have access to a large amount of personal data belonging to teachers. in K-12 schools. It has not yet been publicly identified that this attack was the work of a specific hacker or group.
PowerSchool did not say how many school customers are affected. But two officials from the affected school districts, who requested anonymity, told TechCrunch that the hackers accessed a trove of personal data on current and former students and teachers.
“In our case, we just made sure that all historical student and teacher data was captured,” an official from one affected school district told TechCrunch. The official said Power Schools said the hackers had been accessing the data since late December, but added that the district's logs show the attackers had access before that.
Another person who works for a school district with about 9,000 students told TechCrunch that the attackers accessed “demographic data for every teacher and student, both current and past, for as long as PowerSchool has existed.” .
“We have verified this access in our logs. [PowerSchool] “We made that clear in a phone call from a customer,” the second person said. PowerSchool added that it does not protect affected systems with basic protections such as multi-factor authentication.
In a statement to TechCrunch, PowerSchool spokeswoman Beth Keibler said the company did not dispute the customer's account, but declined to discuss security controls, citing company policy. When asked if PowerSchool uses multi-factor security across its operations, Keibler said the company “does use MFA,” but declined to provide further details.
Several school districts have released information about how the PowerSchool breach has affected students and staff. Menlo Park City School District, another school district affected by the PowerSchool breach, also confirmed that historical data was accessed during the data breach. The California school district said in a notice posted on its website that the hackers accessed data on “all current students and staff,” as well as student and staff data dating back to the beginning of the 2009-2010 school year.
Keibler, a PowerSchool spokesperson, declined to comment on the scale of the data breach, but told TechCrunch that PowerSchool has “identified the schools and districts whose data was involved.” The company declined to release the names of those schools or school districts.
Keibler said PowerSchool is still working to identify the specific individuals whose data may have been accessed.
Mark Racine, CEO of RootED Solutions, a Boston-based education technology consulting firm, said in a blog post this week that the PowerSchool breach also affected school districts that were former PowerSchool customers, and that the scale of the breach was significant. This suggests that this may extend beyond schools, he said. The organization's 18,000 existing education customers.
Racine added that some school districts are reporting that the number of affected students is four to 10 times the number of students currently enrolled in the district.
According to a PowerSchool FAQ shared with customers last week and reviewed by TechCrunch, data stolen in the breach included individuals' names and addresses, social security numbers, some medical and academic information, and other student and teacher information. It is said to contain unspecified personal identification information belonging to . .
Rancho Santa Fe School District, a California school district affected by the hack and one of the first PowerSchool customers to file its own data breach notification with state regulators, said the attackers used teachers to gain access to PowerSchool. He also said he had access to his credentials.
“The type of data stored on the Student Information System (SIS) platform and historical data retention policies will vary based on individual customer and state requirements,” Keibler said in response to questions from TechCrunch.
“While our data review is ongoing, we do not anticipate that the majority of customers involved have brought their Social Security numbers or medical information with them,” Keibler told TechCrunch in a statement Tuesday.
PowerSchool told TechCrunch last week that it took “appropriate steps” to prevent the release of the stolen data and that it “believes the data has been deleted without further reproduction or distribution.” The company did not provide details about what action it took, nor did it say what evidence it had to suggest the stolen data had been deleted.
Do you have more information about the PowerSchool data breach? We'd love to hear from you. You can contact Carly Page securely from any non-work device on Signal (+44 1536 853968) or by email at carly.page@techcrunch.com.