Most schools use a Student Information System (SIS) to manage all of their students’ records, grades and personal information. PowerSchool is the biggest SIS company in the US and Canada, and they just suffered a data breach. If you have kids in K-12 school right now, you may want to know more about this:
Data Extortion
PowerSchool is where the data breach happened. Please do not place blame on your child’s school! Hackers found a way into a PowerSchool portal, and stole data relating to students, families and their schools. Contact info was taken, as well as SSNs and medical information. Upwards of 72 million records may have been stolen! The criminals then extorted PowerSchool for an undisclosed amount of money.
However, not all school districts have been affected. Your particular school district may or may not have had any data taken, so please remain calm and wait for your PowerSchool-using school district to reach out to you with more information. I suspect that if a school system stores their SIS data on their own servers, then it was safe from this breach. If a school system stored their SIS data in the cloud (on PowerSchool’s servers), then it was likely stolen. Also, I am dismayed to learn that the data of former PowerSchool customers may have also been stolen.
For those whose data was impacted, please know that PowerSchool paid a ransom to the cybercriminals. This unknown sum was sent in exchange for a promise that the crooks would not share the stolen info and would instead destroy it. Also, PowerSchool is likely to offer free identity protection to those impacted, both parents and their minor children.
UPDATE: Paying the ransom did not work. In May of 2025, cybercriminals are surfacing with stolen PowerSchool data in hand. Using this data, they are contacting and trying to extort money from school boards across North America.
Further Details
Through the beginning of January, PowerSchool had only provided a brief statement to Newsweek about this breach. But starting on January 13, 2025, PowerSchool created a “community-facing FAQ”, for all to consult. I’m not impressed. The info there is highly sanitized, and conflicts with what I’m hearing from local school districts. But still: you might bookmark that page and check it for updates.
CrowdStrike was hired to investigate and said they’ll wrap up their reports by January 17, 2025. That report was released, but was sparse enough that regular parents and students could not gain any assurance from it. Lawsuits have begun over this whole debacle, which may reveal a different type of information. If you are curious, here are some links to class action suits pertaining to this breach.
And now, in May 2025, it appears the perpetrator has been found and charged. A 19-year-old college student in Worcester, MA is now being brought up on various federal charges for this data breach.