It's only January, but the recent hack of US edtech giant PowerSchool could be one of the biggest breaches of the year.
PowerSchool, which provides K-12 software to more than 18,000 schools to support approximately 60 million students in the United States, confirmed the breach in early January. The California-based company, which Bain Capital acquired for $5.6 billion in 2024, said at the time that hackers used compromised credentials to break into its customer support portal, which schools use to manage The company announced that it has enabled further access to the school information system “PowerSchool SIS.” Student grades, grades, attendance, and enrollment status.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through PowerSource, one of our community-focused customer portals,” a PowerSchool spokesperson said. author Beth Keebler told TechCrunch.
PowerSchool has been open about certain aspects of this breach. Keebler told TechCrunch, for example, the PowerSource portal did not support MFA at the time of the incident, but PowerSchool did. However, many important questions remain unanswered.
This week, TechCrunch sent PowerSchool a list of unanswered questions about the incident, which could potentially impact millions of students in the United States. Keebler declined to answer our questions, stating that any updates regarding this breach will be posted in the company's SIS case. This page hasn't been updated since January 17th.
PowerSchool told customers on January 17 that it would share an incident report from CrowdStrike, the cybersecurity firm it hired to investigate the breach. However, multiple people working at schools affected by the breach told TechCrunch that they have not yet received the report.
The company's customers also have many unanswered questions, forcing those affected by the breach to work together to investigate the hack.
Here are some of the questions that remain unanswered.
It is unclear how many schools and students will be affected.
TechCrunch has heard from schools affected by the PowerSchool breach that the impact could be “significant.” However, PowerSchool's incident page does not mention the scale of the breach, and the company has repeatedly declined to say how many schools or individuals are affected.
In a statement to TechCrunch last week, Keibler said PowerSchool “has identified the schools and districts whose data was involved in this incident,” but would not release the names of those involved.
However, communications from affected school districts will give you an idea of the extent of the breach. The Toronto District School Board (TDSB), Canada's largest school board serving about 240,000 students each year, announced this week that hackers may have accessed nearly 40 years of student data. Similarly, the Menlo Park City School District, California, claims that hackers stole information about all of its current students and faculty (approximately 2,700 students and approximately 400 faculty and staff, respectively) at the beginning of the 2009-2010 school year. It was confirmed that traced student and faculty information had been accessed.
The scale of the data theft is also unclear. PowerSchool also did not say how much data was accessed during the cyberattack, but in a communication shared with customers earlier this month obtained by TechCrunch, the company said the hackers had accessed students, including some students. Admitted to stealing teachers' “sensitive personal information” including social security numbers, grades, demographics and medical information. TechCrunch has also heard that “all” historical student and teacher data was accessed from multiple schools affected by the incident.
A person who works for the affected school district told TechCrunch that the stolen data includes information about parents' access rights to their children, including restraining orders, and when certain students need to take their medication. He said it contains highly sensitive student data, including information.
Power School has not disclosed how much it paid the hackers who committed the breach.
PowerSchool told TechCrunch that it took “appropriate steps” to prevent the stolen data from being made public. In communications shared with customers, the company acknowledged that it worked with a cyber extortion incident response firm to negotiate with the attackers responsible for the breach.
This largely confirms that PowerSchool paid a ransom to the attackers who infiltrated the system. However, in response to questions from TechCrunch, the company declined to say how much it paid or what the hackers were demanding.
We do not know if PowerSchool has received any evidence that the stolen data has been deleted.
In a statement shared with TechCrunch earlier this month, PowerSchool's Keibler said the organization “does not expect the data to be shared or published” and that “the data has been deleted without further reproduction or distribution.” I'm thinking about it.''
However, the company repeatedly declined to say what evidence it had received suggesting the stolen data had been deleted. Initial reports said the company had received video evidence, but PowerSchool would not confirm or deny the matter in response to TechCrunch's questions.
Still, evidence of deletion does not guarantee that the hacker does not still own the data. The UK's recent bust of the LockBit ransomware gang has unearthed evidence that the gang still holds data on victims it ransoms.
It is not yet known who was behind the attack
One of the biggest unknowns about the PowerSchool cyberattack is who the culprit is. The company has been in contact with the hackers, but they have declined to reveal their identities. Canadian incident response organization CyberSteward, which PowerSchool worked with for negotiations, did not respond to TechCrunch's questions.
Do you have more information about the PowerSchool data breach? We'd love to hear from you. You can contact Carly Page securely from any non-work device on Signal (+44 1536 853968) or by email at carly.page@techcrunch.com.