It’s only February, but the recent hack of U.S. edtech giant PowerSchool has the potential to be one of the biggest breaches of the year.
PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students across North America, confirmed the breach in early January. The California-based company, which Bain Capital acquired for $5.6 billion in 2024, said hackers used compromised credentials to breach its customer support portal, allowing further access to the company’s school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource,” PowerSchool spokesperson Beth Keebler told TechCrunch.
PowerSchool has been open about some aspects of the breach. Keebler told TechCrunch that the PowerSource portal, for example, did not support multi-factor authentication at the time of the incident, while PowerSchool did. But a number of important questions remain unanswered.
TechCrunch sent PowerSchool a list of outstanding questions about the incident, which has the potential to impact millions of students in the U.S. Keebler declined to answer our questions, saying that all updates related to the breach would be posted on the company’s incident page. On January 29, the company said it began notifying individuals affected by the breach and state regulators.
PowerSchool told customers it would share by mid-January an incident report from cybersecurity firm CrowdStrike, which the company hired to investigate the breach. But several sources who work at schools impacted by the breach told TechCrunch that they have yet to receive it.
The company’s customers also have lots of unanswered questions, forcing those affected by the breach to work together to investigate the hack.
Here are some of the questions that remain unanswered.
It’s not known how many schools, or students, are affected
TechCrunch has heard from schools affected by the PowerSchool breach that its scale could be “massive.” However, PowerSchool has repeatedly declined to say how many schools and individuals are affected despite telling TechCrunch that it had “identified the schools and districts whose data was involved in this incident.”
Bleeping Computer, citing multiple sources, reports that the hacker responsible for the PowerSchool breach allegedly accessed the personal data of more than 62 million students and 9.5 million teachers. PowerSchool has repeatedly declined to confirm whether this number was accurate.
While PowerSchool won’t give a number, the company’s recent filings with state attorneys general suggest that millions had personal information stolen in the breach. In a filing with the Texas’ attorney general, for example, PowerSchool confirms that almost 800,000 state residents had data stolen.
Communications from breached school districts give a general idea of the size of the breach. The Toronto District School Board (TDSB), Canada’s largest school board that serves approximately 240,000 students each year, said that the hacker may have accessed some 40 years’ worth of student data, with the data of almost 1.5 million students taken in the breach. Similarly, California’s Menlo Park City School District confirmed that the hacker accessed information on all current students and staff — which respectively number around 2,700 students and 400 staff — as well as students and staff dating back to the start of the 2009-10 school year.
We still don’t know what types of data were stolen
Not only do we not know how many people were affected, but we also don’t know how much or what types of data were accessed during the breach.
In a communication shared with its customers earlier in January, seen by TechCrunch, the company confirmed that the hacker stole “sensitive personal information” on students and teachers, including students’ grades, attendance, and demographics. The company’s incident page also states that stolen data may have included Social Security numbers and medical data, but says that “due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base.”
TechCrunch has also heard from multiple schools affected by the incident that “all” of their historical student and teacher data was compromised.
One person who works at an affected school district told TechCrunch that the stolen data includes highly sensitive student data, including information about parental access rights to their children, including restraining orders, and information about when certain students need to take their medications.
A source speaking with TechCrunch in February revealed that PowerSchool has provided affected schools with a “SIS Self Service” tool that can query and summarize PowerSchool customer data to show what data is stored in their systems. PowerSchool told affected schools, however, that the tool “may not precisely reflect data that was exfiltrated at the time of the incident.”
It’s not known if PowerSchool has its own technical means, such as logs, to determine which types of data were stolen from specific school districts.
PowerSchool hasn’t said how much it paid the hacker responsible for the breach
PowerSchool told TechCrunch that the organization had taken “appropriate steps” to prevent the stolen data from being published. In the communication shared with customers, the company confirmed that it worked with a cyber-extortion incident response company to negotiate with the threat actors responsible for the breach.
This all but confirms that PowerSchool paid a ransom to the attackers that breached its systems. However, when asked by TechCrunch, the company refused to say how much it paid, or how much the hacker demanded.
We don’t know what evidence PowerSchool received that the stolen data has been deleted
PowerSchool’s Keebler told TechCrunch that the company “does not anticipate the data being shared or made public” and that it “believes the data has been deleted without any further replication or dissemination.”
However, the company has repeatedly declined to say what evidence it has received to suggest that the stolen data had been deleted. Early reports said the company received video proof, but PowerSchool wouldn’t confirm or deny when asked by TechCrunch.
Even then, proof of deletion is by no means a guarantee that the hacker is still not in possession of the data; the U.K.’s recent takedown of the LockBit ransomware gang unearthed evidence that the gang still had data belonging to victims who had paid a ransom demand.
We don’t yet know who was behind the attack
One of the biggest unknowns about the PowerSchool cyberattack is who was responsible. The company has been in communication with the hacker but has refused to reveal their identity, if known. CyberSteward, the Canadian incident response organization that PowerSchool worked with to negotiate, did not respond to TechCrunch’s questions.
The results of CrowdStrike’s investigation remain a mystery
PowerSchool is working with incident response firm CrowdStrike to investigate the breach. PowerSchool customers were told that the security firm’s findings would be released on January 17. However, the report has yet to be published, and affected school districts have told TechCrunch that they have not yet seen the report. CrowdStrike declined to comment when asked by TechCrunch.
CrowdStrike released an interim report in January, which TechCrunch has seen, but contained no new details about the breach.
Do you have more information about the PowerSchool data breach? We’d love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.
