We're only a few months until 2025, but the recent Edtech giant Powerschool hack is on track to become one of the biggest educational data breaches in recent years.
PowerSchool provided K-12 software to more than 18,000 schools to support approximately 60 million students across North America, and disclosed a data breach in early January 2025.
The California-based company, which was acquired by Bain Capital for $5.6 billion, said it would use a single compromised qualification to infringe the customer support portal in December 2024, allowing schools to have more access to the company's school information system used to manage student records, grades, attendance and registration.
PowerSchool is open about several aspects of the violation, for example, PowerSchool told TechCrunch that the compromised PowerSource portal does not support multifactor authentication at the time of the incident, but some key questions have not continued for several months.
TechCrunch has sent PowerSchool a list of notable questions about cases that could affect millions of students.
Powerschool spokesman Beth Keebler declined to answer our questions, saying that all updates related to the violation will be posted on the company's incident page. On January 29, the company said it had launched notifications to individuals affected by violations and state regulators.
Many of the company's customers also have prominent questions about the violation, forcing them to work with the affected people to investigate the hack.
In early March, PowerSchool announced the deaths after a data breaches created by CrowdStrike, two months after PowerSchool customers were said to be released. While much of the report's details were known, Crowdstrike confirmed that hackers could access PowerSchool's system as early as August 2024.
Here are some of the questions that remain unanswered.
PowerSchool does not say how many students or staff will be affected
TechCrunch has heard from PowerSchool customers that data breaches could be “large.” However, PowerSchool repeatedly refused to tell TechCrunch how many schools and individuals would be affected, despite telling TechCrunch that they “identified the schools and districts where the data was involved in this incident.”
Citing multiple sources, Bleeding Computer reported in January that the person responsible for the Powerschool violation had access to personal data from over 62 million students and 9.5 million teachers.
When asked by TechCrunch, Powerschool refused to confirm whether this number was accurate.
However, submissions to communications from PowerSchool's state attorney general and the compromised school suggest that millions of people likely had their personal information stolen in a data breach.
In a filing with the Texas Attorney General, Powerschool confirmed that nearly 800,000 state residents had their data stolen. It filed in January with the Maine Attorney General and said at least 33,000 residents were affected, which was later updated saying the number of affected individuals would be “determined.”
The Toronto District School Board, Canada's largest school board, serves around 240,000 students each year, but hackers have access to about 40 years of student data, saying data on roughly 1.5 million students were filmed in violations.
The Menlo Park City School District in California has accessed information from hackers about all current students and staff (approximately 2,700 students and 400 staff, respectively) and reviewed students and staff dating back to the start of the 2009-10 school year.
PowerSchool does not say which types of data were stolen
Not only do you know how many people were affected, but you don't know how many types of data were accessed during the violation.
In a communication shared with customers in January, PowerSchool said the hackers stole “sensitive personal information” to students and teachers, including student achievement, attendance and demographics. The company's incident page states that stolen data may contain Social Security numbers and medical data, but “different customer requirements have led to information extended for a particular individual changing across the customer base.”
TechCrunch hears from several schools affected by the incident that “all” of historic student and teacher data has been damaged.
One worker in the affected school district told TechCrunch that the stolen data contained highly sensitive student data, including information about parental access to children, highly sensitive student data such as suppressing orders, and information about when certain students need to take medication.
A source speaking to TechCrunch in February revealed that PowerSchool is offering affected schools a “SIS self-service” tool that queries and summarises PowerSchool's customer data and displays data stored in the system. However, Powerschool told the affected schools that the tool “may not accurately reflect the data that was excluded at the time of the incident.”
It is unclear whether PowerSchool has its own technical means, such as logs, to determine which types of data have been stolen from a particular school district.
PowerSchool won't say how much they paid to hackers who are responsible for the violations
Powerschool told TechCrunch that the organization has taken “appropriate measures” to prevent stolen data from being published. The communications shared with the customer confirmed that the company had worked with a cyberexpoment incident response company to negotiate with threat actors liable for the violation.
This confirms that Powerschool has paid a ransom to the attacker who compromised the system. However, when asked by TechCrunch, the company refused to say how much it paid, or how much the hackers had requested.
I don't know what kind of evidence PowerSchool received that stolen data was deleted
Keebler of Powerschool told TechCrunch that the company “doesn't expect the data to be shared or published,” and “we believe the data has been deleted without further copying or spreading.”
However, the company repeatedly refused to say the evidence it received to suggest that the stolen data had been deleted. Early reports show that the company received the video proof, but Powerschool did not confirm or deny when asked by TechCrunch.
Still, proof of deletion is not a guarantee that the hacker does not own the data yet. The UK's recent takedown of rock bit ransomware gangs has unearthed evidence that gangs still have data belonging to victims who paid ransom demand.
The hackers behind the data breach are not yet known
One of the biggest unknowns about Powerschool's cyberattacks is who was responsible. The company is in touch with hackers, but refuses to reveal their identity if they are known. CyberSteward, the Canadian incident response organization that PowerSchool collaborated to negotiate, did not respond to TechCrunch questions.
Crowdstrike's Forensic Report leaves questions unanswered
After PowerSchool released its Cloud Strike forensic report in March, one of the schools affected by the violation told TechCrunch that the findings were “overwhelming.”
The report confirmed that the violation was caused by compromised credentials, but the underlying cause of how the compromised credentials were obtained and used remains unknown.
Mark Racine, CEO of Incorporated Solutions, a Boston-based education and technology consulting firm, told TechCrunch that although he has provided “some details” in the report, “there is not enough information to understand what went wrong.”
It is not clear exactly how far the power school violations are actually
One new details in the Crowdstrike report is that hackers will have access to the PowerSchool network from August 16, 2024 to September 17, 2024.
This access was obtained using the same compromised credentials used in the December violation, and hackers accessed PowerSchool's PowerSource.
However, Crowdstrike said there was no sufficient evidence to conclude that this was the same threat leader responsible for the December violation due to lack of logs.
However, the findings suggest that a hacker, or multiple hackers, may have been accessing the PowerSchool network for several months before access was detected.
Is there any more information about PowerSchool data breach? We look forward to hearing from you. From non-work devices, you can safely contact the Carly page at a signal of +44 1536 853968 or email it at carly.page@techcrunch.com.