Education technology giant PowerSchool warned customers that hackers had accessed highly sensitive information, including customers' Social Security numbers, grades and medical information, during a recent data breach, TechCrunch has learned. I found out.
In an FAQ obtained by TechCrunch and sent to affected customers this week, PowerSchool said “sensitive personal information” was accessed during the December breach, which PowerSchool confirmed on Wednesday. It is.
The company previously announced that hackers used stolen credentials to break into PowerSchool's internal customer support portal. The breach affects users of PowerSchool's school information system, which schools use to manage student records, grades, attendance, and enrollment.
PowerSchool said in its FAQ that the stolen data primarily included contact details such as individuals' names and addresses, but the hackers also stole social security numbers, some medical and academic information, and other student and academic information. He said he also had access to unspecified personally identifiable information belonging to students. Teachers.
The California-based education technology company, the largest provider of cloud-based educational software for K-12 education in the U.S., said parents' personal information, including names, phone numbers and email addresses, may also have been compromised. Some school districts say they have sex. The company said the type of data stolen varies by customer.
PowerSchool spokeswoman Beth Keibler confirmed the validity of the information in an FAQ Thursday, but declined to say how many individuals would be affected by the breach. PowerSchool says its software is used by more than 16,000 customers and supports more than 50 million students across North America.
PowerSchool acknowledged in an FAQ that this security incident was not ransomware in nature, but it is working with CyberSteward, a Canadian organization that provides cyber extortion incident response services, to identify the breach. He said he had negotiated with the attacker responsible.
This confirms previous reports that PowerSchool was the target of an extortion-only attack and paid money to prevent the hackers from releasing stolen data.
In response to questions from TechCrunch on Thursday, PowerSchool did not say what evidence it had to suggest the stolen data had been deleted. CyberSteward did not respond to TechCrunch's questions.
“PowerSchool takes all appropriate steps to protect the data involved from further unauthorized misuse and does not anticipate that the data will be shared or made public,” Keibler said. “PowerSchool believes the data has been deleted without further reproduction or distribution.”
PowerSchool was acquired by Bain Capital in 2024 in a $5.6 billion deal. Bain Capital spokeswoman Rachel Colson did not comment when contacted by TechCrunch this week.
Do you have more information about the PowerSchool data breach? We'd love to hear from you. You can contact Carly Page securely from any non-work device on Signal (+44 1536 853968) or by email at carly.page@techcrunch.com.