Overview:
The breech resulted in the unauthorized access of personal data from millions of current and former students and teachers.
School districts across the United States are grappling with the fallout of a cyberattack on edtech giant PowerSchool, which resulted in the unauthorized access of personal data from millions of current and former students and teachers. The breach, first detected on December 28, 2024, compromised PowerSchool’s customer support portal and provided attackers access to the company’s Student Information System (SIS), used by more than 60 million students nationwide.
PowerSchool has not disclosed the exact number of affected school districts. However, multiple sources have confirmed to The Educator’s Room that hackers accessed extensive troves of data, including demographic information, Social Security numbers, limited medical records, and academic data dating back over a decade.
“In our district, we’ve confirmed they got historical student and teacher data,” said a representative from one affected school district of over 40,000 students, who requested anonymity.
Lack of Security Measures Under Scrutiny
Criticism has mounted over PowerSchool’s apparent failure to implement basic security protections, such as multi-factor authentication (MFA), on its systems.
The Menlo Park City School District in California disclosed on its website that data on “all current students and staff,” as well as data going back to the 2009-2010 school year, was accessed during the breach. Meanwhile, the Rancho Santa Fe School District reported that attackers also obtained teacher credentials, raising concerns about potential misuse of account access.
Scale of Breach Extends to Former Customers
Mark Racine, CEO of the Boston-based education technology consulting firm RootED Solutions, revealed that even former PowerSchool customers were impacted, significantly expanding the breach’s scope. Racine noted that some districts estimate the number of affected individuals to be four to 10 times higher than their current enrollment.
According to PowerSchool’s internal FAQ, the stolen data includes names, addresses, Social Security numbers, limited medical and academic information, and other unspecified personal details. The company has refrained from naming affected districts but said it is working to notify specific individuals whose data was compromised.
Uncertainty Over Data Deletion Claims
PowerSchool claims to have taken “appropriate steps” to prevent the stolen data from being published or further disseminated. The company said it believes the data has been deleted, though it has not provided evidence or specifics on how this conclusion was reached.
The Road Ahead for Affected Schools
Districts across the country are now scrambling to assess the breach’s impact and implement additional safeguards. Some are already reporting identity theft and misuse of the stolen information. Experts warn that the violation could have long-lasting implications, particularly for individuals whose sensitive data was exfiltrated.
As investigations continue, affected districts are calling for greater transparency from PowerSchool and stricter cybersecurity standards for education technology providers.
For now, students, parents, and educators are left to navigate the uncertain aftermath of one of the largest breaches to hit the U.S. education sector.