PowerSchool, a major education technology software platform for North American schools, has confirmed the theft of sensitive student and teacher information following a cyberattack in late December 2024.
Why It Matters
Sensitive personal information, such as names, addresses, and in some cases Social Security numbers and medical information, were stolen by “unauthorized actors” in a data breach on December 28, 2024, the company said. Data breaches can lead to identity theft, leaving victims vulnerable to fraud and other illegal activities.
What To Know
PowerSchool provides cloud-based software to K-12 schools across North America, and according to the company’s website, supports more than 60 million students.
A spokesperson for the company told The Register: “We believe the unauthorized actor extracted two tables within the student information system database. These tables primarily include contact information with data elements such as name and address information for families and educators.”
When asked about how many people may be impacted by the data breach, a spokesperson for PowerSchool told Newsweek that they “don’t have specifics to share at this time, I can tell you that we are still working through our detailed data review, and our priority is providing all necessary details to our customers as soon as possible.”
The company said that “a certain subset of the customers” may also have had their Social Security numbers and “other personally identifiable information, and limited medical and grade information” stolen.
“Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations,” the company said.
Some school districts and local governments in the U.S. have confirmed they are impacted by the breach, including Westford Public Schools in Massachusetts, and the states of North and South Carolina.
The government of Newfoundland and Labrador in Canada has also confirmed that schools in the region are impacted. According to a report by CBC, hackers managed to access information dating back to 1995.
What People Are Saying
A statement on the Westford, Massachusetts, website reads: “The Town of Westford and Westford Public Schools are committed to the protection of students’, staff and families’ information. Although there is currently no evidence of impact to the district’s other systems, both school and town administrations remain proactive and vigilant, working closely with PowerSchool to monitor this matter and any further developments and ensure the continued security of all systems.”
Ellen Weaver, South Carolina’s superintendent of education, told Fox Carolina: “We will insist that PowerSchool not only notify affected individuals but also provide them with credit and identity monitoring services.”
Newfoundland and Labrador education minister Krista Lynn Howell said on Wednesday: “I thought it was very important that we let our schools, our families and our communities know that this has happened. Cyber security is everybody’s responsibility. So [we] encourage parents to take that advice and change their passwords and continue to monitor their accounts.”
A statement from PowerSchools to Newsweek on Thursday said: “On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource. We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. The incident is contained and we do not anticipate the data being shared or made public. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.
“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.
“PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously. Our priority is to support our customers through this incident and to continue our unrelenting focus on data security. PowerSchool is committed to providing affected customers, families, and educators with the resources and support they may need as we work through this together.”
What’s Next
PowerSchool said it does not “anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” according to The Register.
“We have also deactivated the compromised credential and restricted all access to the affected portal,” the company said. “Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”
The post PowerSchool Issues Nationwide Data Breach Alert: What We Know appeared first on Newsweek.
