U.S. school districts affected by the recent cyberattack on edtech giant PowerSchool have told TechCrunch that hackers accessed “all” of their historical student and teacher data stored in their student information systems. 

PowerSchool, whose school records software is used to support more than 50 million students across the United States, was hit by an intrusion in December that compromised the company’s customer support portal with stolen credentials, allowing access to reams of personal data belonging to students and teachers in K-12 schools. The attack has not yet been publicly attributed to a specific hacker or group.

PowerSchool hasn’t said how many of its school customers are affected. However, two sources at affected school districts — who asked not to be named —  told TechCrunch that the hackers accessed troves of personal data belonging to both current and former students and teachers. 

“In our case, I just confirmed that they got all historical student and teacher data,” the person at one affected school district told TechCrunch. The person added that while PowerSchool said the hackers had access to its data from late December, the district’s logs show that the attackers had gained access earlier.

Another person, who works at a school district with almost 9,000 students, told TechCrunch that the attackers accessed “demographic data for all teachers and students, both active and historical, as long as we’ve had PowerSchool.”

“We have seen this access in our logs and [PowerSchool] has disclosed it in customer calls,” the second person said. They added that PowerSchool did not secure the affected system with basic protections, such as multi-factor authentication. 

When reached by TechCrunch, PowerSchool spokesperson Beth Keebler did not dispute the customers’ accounts but declined to discuss its security controls, citing company policy. When asked whether PowerSchool uses multi-factor security across its business, Keebler said the company “does use MFA,” but did not elaborate.

Several school districts have publicly posted information about how the PowerSchool breach is affecting their students and staff. Menlo Park City School District, another district affected by the PowerSchool breach, also confirmed that its historical data had been accessed during the data breach. In a notice on its website, the California school district said the hackers accessed data on “all current students and staff,” as well as data on students and staff dating back to the start of the 2009-2010 school year.

PowerSchool spokesperson Keebler declined to comment on the scale of the data breach, but told TechCrunch that PowerSchool had “identified the schools and districts whose data was involved.” The company declined to publicly share the names of those schools or districts.

Keebler said PowerSchool is still working to identify specific individuals whose data may have been accessed.

Marc Racine, the chief executive of the Boston-based education technology consulting firm RootED Solutions, said in a blog post this week that the PowerSchool breach also affects school districts that are former customers of PowerSchool, suggesting the scale of the breach could extend beyond the organization’s 18,000 existing educational customers. 

Racine added that some school districts are reporting the number of affected students in the range of four- to ten-times higher than the number of actively enrolled students in their district. 

According to a PowerSchool FAQ shared with customers last week, which TechCrunch has seen, the data stolen in the breach includes individuals’ names and addresses, Social Security numbers, some medical and grade information, and other unspecified personally identifiable information belonging to students and teachers.

The Rancho Santa Fe School District, a California school district affected by the hack and one of the first PowerSchool customers to file its own data breach notice with state regulators, said that the attackers also accessed teachers’ credentials for accessing PowerSchool. 

When asked by TechCrunch, Keebler said that “the kind of data stored in the Student Information System (SIS) platform and retention policies for historical data varies by individual customer and state requirements.”

“While our data review remains ongoing, we expect the majority of involved customers did not have Social Security numbers or medical information exfiltrated,” Keebler told TechCrunch in a statement on Tuesday. 

PowerSchool told TechCrunch last week that it has taken “appropriate steps” to prevent the stolen data from being published, and said it “believes the data has been deleted without any further replication or dissemination.” The company did not provide specifics on what steps it took, and declined to say what evidence the company had to suggest that the stolen data had been deleted.

Do you have more information about the PowerSchool data breach? We’d love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.