PowerSchool Hacker Alleges Theft of Data from 62 Million Students
A hacker responsible for breaching PowerSchool, a prominent education technology provider, claims to have stolen the personal data of 62.4 million students and 9.5 million teachers, according to an extortion demand.
PowerSchool is a cloud-based platform that serves K-12 schools and districts, offering tools for enrollment, communication, attendance tracking, staff management, learning systems, analytics, and finance.
The breach, which occurred after a threat actor used stolen credentials to access PowerSchool’s PowerSource customer support portal, was disclosed on January 7. Using this unauthorized access, the attacker reportedly leveraged a maintenance tool within the customer support system to download data from various school districts’ PowerSIS databases.
Stolen Data Includes Sensitive Information
According to a FAQ reviewed by BleepingComputer, the breach exposed sensitive student data, including Social Security Numbers, medical records, and academic grades, for a subset of those affected. PowerSchool acknowledged paying a ransom to the hacker to prevent the stolen data from being leaked, claiming to have witnessed a video of the hacker deleting the stolen files.
While PowerSchool provided details through a private customer FAQ, specific figures on the number of affected students and teachers remain undisclosed, frustrating educators, parents, and administrators.
Scope of the Breach
Sources revealed to BleepingComputer that the breach impacted 6,505 school districts across the U.S., Canada, and other countries. In total, the attack is believed to have compromised data for 62,488,628 students and 9,506,624 teachers.
The largest districts allegedly impacted include:
| District Name | Students Impacted | Teachers Impacted |
|---|---|---|
| Toronto District School Board | 1,484,733 | 90,023 |
| Peel District School Board | 943,082 | 39,693 |
| Dallas Independent School District | 787,212 | 79,718 |
| Calgary Board of Education | 593,518 | 133,677 |
| Memphis-Shelby County School | 485,087 | 54,501 |
| San Diego Unified | 472,278 | Data Not Confirmed |
| Charlotte-Mecklenburg Schools | 467,974 | 57,486 |
| Wake County Public School | 461,005 | 92,783 |
Response and Mitigation
PowerSchool emphasized that the type of data exposed varies by district, as school systems decide what information is stored based on local policies. The company estimates that less than 25% of impacted students had Social Security Numbers included in the breach.
For districts using self-hosted systems, the review process has been more complex, requiring collaboration with individual districts to assess the data impacted.
Company Statement
In a statement to BleepingComputer, PowerSchool stressed its commitment to supporting affected students, teachers, and families. The company is offering two years of free identity protection and credit monitoring services for all impacted individuals, regardless of whether sensitive data, such as Social Security Numbers, was involved.
PowerSchool also pledged to notify state attorneys general and impacted parties on behalf of its customers, while continuing to investigate the breach with cybersecurity firm CrowdStrike. However, a promised incident report, initially scheduled for release on January 17, has yet to be finalized.
In the meantime, PowerSchool has created a public website for updates and provided customers with a confidential fact sheet summarizing CrowdStrike’s findings to date.
