Educational technology giant PowerSchool told customers that a “cybersecurity incident” occurred in K-12 school districts across the U.S. in which personal data of students and teachers was compromised by hackers.
California-based PowerSchool, acquired by Bain Capital in 2024 for $5.6 billion, is the largest provider of cloud-based educational software for K-12 education in the U.S., reaching more than 75% of North American students. It is said that they are providing a service. Company website. PowerSchool says its software is used by more than 16,000 customers and supports more than 50 million students in the United States.
In a letter sent to affected customers on Tuesday and published in local news, Power Schools said hackers had successfully penetrated its customer support portal, PowerSource, which the school uses. It said it was determined on December 28 that it had gained further access to the information system “PowerSchool SIS.” To manage student records, grades, attendance, and registration. The company's investigation found that the hackers gained access “using compromised credentials,” the letter said.
PowerSchool did not say what type of data was accessed during the incident or how many individuals were affected by the breach, and neither PowerSchool nor Bain Capital responded to TechCrunch's questions. Not yet.
The nature of the cyberattack remains unclear. Bleeping Computer reported that in an FAQ sent to affected users, PowerSchool said it had not experienced any ransomware attacks, but was forced to pay to prevent hackers from leaking stolen data. It is said that Power School told the publication that names and addresses were exposed in the breach, but that information could also include social security numbers, medical information, grades and other personally identifiable information. he said. Power School did not disclose how much the company paid.
PowerSchool was sued in a class action lawsuit in November 2024, accusing the company of illegally selling student data without their consent for commercial gain. The company's student data trove amounts to “345 terabytes of data collected from 440 school districts,” according to the complaint.
“Power Schools collects this sensitive information under the guise of educational support, but in reality it collects it for their own commercial gain,” while “Power Schools collects this sensitive information under the guise of educational support, but in reality it collects it for their own commercial gain.” The lawsuit alleges that the company hides behind “unprecedented terms of service.”