U.S. edtech giant PowerSchool has begun notifying individuals affected by a December 2024 data breach that likely affects millions of students and teachers across North America.

PowerSchool said in a brief update on Monday that it had started the process of filing legally required regulatory notifications following the breach, which saw attackers use a stolen account credential to access the company’s customer support portal to exfiltrate huge quantities of sensitive student and teacher data. PowerSchool previously told TechCrunch that the hacked account was not protected with multi-factor authentication.

The California-based PowerSchool has already filed a data breach notification with Maine’s attorney general, which confirms that more than 33,000 state residents had data stolen during the breach. Though Maine state law typically requires organizations to disclose the total number of individuals known to be affected by a breach, PowerSchool has not yet disclosed this figure.

Bleeping Computer, citing multiple sources, reports that the hackers responsible for the PowerSchool breach allegedly accessed the personal data of more than 62 million students and 9.5 million teachers. PowerSchool says on its website that its technology is used by more than 60 million students.

When asked if the reported figure of 62 million students affected by the breach is accurate, PowerSchool spokesperson Beth Keebler (via crisis communications firm FTI Consulting) told TechCrunch that the company “cannot confirm” a precise number of affected individuals as the company’s data review process is ongoing. PowerSchool added that the organization will be providing updates to state attorneys general as its process progresses, suggesting the number of affected Maine residents may be higher than the 33,000 reported figure to date. 

“This is a complicated process because the data review for on-premises customers requires additional collaboration between PowerSchool and those customers,” PowerSchool’s spokesperson said.

Millions of students already confirmed affected

Many questions remain unanswered about the PowerSchool data breach: It is still unclear who was responsible for the attack; what evidence PowerSchool allegedly received that its stolen data was deleted; or the amount that the company paid in a ransom demand to the hackers. The lack of information surrounding the incident forced affected school districts to work together to investigate the impact and scale of the breach. 

In a post on its incident page, PowerSchool says it cannot yet confirm what types of sensitive data were accessed “because the answer varies by individual customer and is dependent on customer choice or district policies and requirements.” TechCrunch has heard from multiple school districts affected by the breach that “all” of their historical data stored in PowerSchool, including sensitive data such as information about parental access rights to their children, was accessed.

Toronto District School Board (TSDB), which last week confirmed that hackers had accessed close to 40 years’ worth of student data, is the worst-hit organization so far, with the data of almost 1.5 million students taken in the breach. In a letter to parents, seen by TechCrunch, TDSB confirmed the stolen data includes genders, grade information, medical data, and accommodation details. 

Bleeping Computer also lists the Calgary Board of Education (CBE) among those impacted by the breach, and reports that the data of more than 500,000 students was taken. In a statement to TechCrunch, CBE spokesperson Joanne Anderson said the board “does not have confirmation from PowerSchool about the number of students and staff impacted and the details of the data taken.”

Affected school districts are also notifying those whose data was stolen during the PowerSchool breach. Idaho’s West Ada School District, which has almost 40,000 students in K-12 classes, said in a letter, seen by TechCrunch, that personal information including “life-safety health and grade information for current and former students” had been accessed. 

Alexandria City Public Schools in Virginia, which serves more than 16,000 students, also confirmed that student data had been compromised. In a letter sent to parents, the district says that hackers accessed students’ personal information, medical data, and free meal statuses.

In a statement on its website, the Rochester City School District has confirmed that 134,000 students were affected by the PowerSchool breach. The district, which oversees 46 schools in New York, said that the information accessed includes legal alerts, medical diagnoses and conditions.