-(4)-1731951738-q80.webp){kind=small}
A major cybersecurity breach has impacted PowerSchool, the largest provider of cloud-based education software for K-12 schools in the United States. The incident, first reported late last month, has exposed sensitive data from over 60 million students and 9.5 million teachers across 6,500 school districts, including Social Security numbers and limited medical information.
PowerSchool notified affected schools of the breach on January 7, though the full scope of the attack is still being assessed. According to a report from BleepingComputer, the hacker accessed PowerSchool’s systems using compromised credentials and stole data through an “export data manager.”
The stolen data included student and teacher records from the company’s Student Information System (SIS), which tracks grades, attendance, and enrollment. The hacker reportedly demanded a ransom, claiming to have deleted the data after payment. PowerSchool has not publicly confirmed whether it paid the ransom.
The breach primarily exposed names, addresses, dates of birth, and other contact details. In some cases, Social Security numbers and limited medical alerts, such as allergy information, were also accessed. However, the company stated that more than three-quarters of individuals did not have their Social Security numbers exposed. PowerSchool clarified that no credit card or banking information was involved in the breach.
The severity of the impact varies by district. In Lake Forest, Illinois, two school districts reported that the stolen data included student names, enrollment details, bus stop codes, and limited medical information. Sensitive data like Social Security numbers and insurance information were not compromised in this case. However, in North Carolina, the Social Security numbers of 312,000 teachers were exposed.
Some of the largest districts in the country were affected, including the Memphis-Shelby School District in Tennessee, which reported that data from over 485,000 students and 54,000 teachers had been compromised. Similarly, the San Diego Unified School District and the Dallas Independent School District in Texas confirmed that their records were part of the breach.
In North Carolina, Wake County Public School System (WCPSS) said that while student Social Security numbers were not accessed, their names, birthdays, and mailing addresses may have been exposed.
PowerSchool has stated that it does not believe there is an ongoing risk of unauthorized access or malware in its systems. The company has launched an investigation and is working to provide resources to those affected.
Impacted individuals will receive notification emails from PowerSchool in the coming weeks. The company is also offering two years of free identity protection and credit monitoring services to students and educators whose information was compromised.
PowerSchool emphasized its commitment to learning from the incident and strengthening its security protocols. A spokesperson stated, “We are committed to serving our customers and shared communities, and we aim to become stronger and more resilient as a company.”
Parents, educators, and school districts are urged to monitor updates and access additional resources through the public website set up by PowerSchool. As investigations continue, the breach has raised concerns about the vulnerability of sensitive student data in education technology systems and the necessity for stronger security measures moving forward.
