PowerSchool Data Breach

PowerSchool Data Breach

Most schools use a Student Information System (SIS) to manage all of their students’ records, grades and personal information. PowerSchool is the biggest SIS company in the US and Canada, and they just suffered a data breach. If you have kids in K-12 school right now, you may want to know more about this:

Data Extortion

PowerSchool is where the data breach happened. Please do not place blame on your child’s school! Hackers found a way into a PowerSchool portal, and stole data relating to students, families and their schools. Contact info was taken, as well as SSNs and medical information. The criminals then extorted PowerSchool for an undisclosed amount of money.

However, not all school districts have been affected. Your particular school district may or may not have had any data taken, so please remain calm and wait for your PowerSchool-using school district to reach out to you with more information. I suspect that if a school system stores their SIS data on their own servers, then it was safe from this breach. If a school system stored their SIS data in the cloud (on PowerSchool’s servers), then it was likely stolen. Also, I am dismayed to learn that the data of former PowerSchool customers may have also been stolen.

However, not all school districts have been affected. Your particular school district may or may not have had any data taken, so please remain calm and wait for your PowerSchool-using school district to reach out to you with more information. I suspect that if a school system stores their SIS data on their own servers, then it was safe from this breach. If a school system stored their SIS data in the cloud (on PowerSchool’s servers), then it was likely stolen.

For those whose data was impacted, please know that PowerSchool allegedly paid a ransom to the cybercriminals. This unknown sum was sent in exchange for a promise that the crooks would not share the stolen info and would instead destroy it. Also, PowerSchool is likely to offer free identity protection to those impacted, both parents and their minor children.

Further Details

Through the beginning of January, PowerSchool had only provided a brief statement to Newsweek about this breach. But starting on January 13, 2025, PowerSchool created a “community-facing FAQ”, for all to consult. I’m not impressed. The info there is highly sanitized, and conflicts with what I’m hearing from local school districts. But still: you might bookmark that page and check it for updates.

CrowdStrike has been hired to investigate and says they’ll wrap up their reports by January 17, 2025. That info might then be added to that FAQ. And there is the possibility that PowerSchool will directly contact those who are affected by this breach. But if you do receive any PowerSchool communications, be wary of anyone asking for sensitive account information.

Lawsuits have begun over this incident, which may reveal a different type of information. If any class actions materialize, I will update this post on how you might join them.

Leave a Comment