Only a few months into 2025, a cyberattack on U.S. edtech provider PowerSchool is shaping up to be one of the most significant education data breaches in recent history. This comes after recent FBI attacks on ransomware scams. The company, which supplies K-12 software to over 18,000 schools and serves approximately 60 million students across North America, first revealed the breach in early January.
How the PowerSchool Breach Occurred
The California-based company, acquired by Bain Capital for $5.6 billion, reported that a hacker exploited a single compromised credential in December 2024. This allowed unauthorized access to PowerSchool’s customer support portal and, subsequently, its school information system (SIS), which manages student records, grades, attendance, and enrollment.
While PowerSchool has disclosed some details—such as the lack of multi-factor authentication on the breached PowerSource portal—many critical questions remain unanswered months after the incident.
Unanswered Questions Surrounding the Data Breach
Despite repeated inquiries from TechCrunch, PowerSchool has declined to provide further insights, stating that all updates will be shared on its incident page. On January 29, the company announced it had begun notifying affected individuals and state regulators. However, many school districts impacted by the breach are left searching for answers, forcing them to collaborate on their own investigations.
A postmortem analysis of the breach, prepared by cybersecurity firm CrowdStrike and released in March—two months later than promised—confirmed that hackers had access to PowerSchool’s systems as early as August 2024.
Scale of the Data Breach: How Many Are Affected?
PowerSchool has yet to disclose the total number of affected students and staff. However, industry reports suggest the breach could be massive.
Bleeping Computer, citing multiple sources, reported that over 62 million student records and 9.5 million teacher records were compromised. Yet, PowerSchool has not confirmed these numbers.
Filings with state attorneys general and school district reports indicate that millions of individuals likely had their personal data stolen.
- Texas Attorney General Filing: Nearly 800,000 state residents had their data compromised.
- Maine Attorney General Filing: Initially reported 33,000 affhttps://foundersark.com/fbi-alerts-executives-to-fake-bianlian-ransomware-scams/ected residents, but later updated to “to be determined.”
- Toronto District School Board: Reported that 1.5 million student records spanning 40 years were accessed.
- Menlo Park City School District: Confirmed that data for all current students and staff, plus records dating back to 2009-2010, were compromised.
What Kind of Data Was Stolen?
PowerSchool has not detailed the specific types of data compromised in the breach.
A January communication to customers, seen by TechCrunch, stated that the hacker stole “sensitive personal information,” including student grades, attendance, and demographic data.
Additionally, PowerSchool’s incident page suggests that the stolen data may include Social Security numbers and medical information. However, the company has clarified that the exact data exfiltrated varies by customer.
Some affected schools report that all historical student and teacher data was compromised. One district employee informed TechCrunch that the stolen records contained highly sensitive information, such as parental access rights, restraining orders, and student medication schedules.
PowerSchool has provided affected schools with a “SIS Self Service” tool to review stored data. However, the company admits this tool “may not precisely reflect” what data was exfiltrated.
Did PowerSchool Pay a Ransom?
While PowerSchool has stated it took “appropriate steps” to prevent stolen data from being published, it has not confirmed whether it paid a ransom.
A communication to customers revealed that the company worked with a cyber-extortion incident response firm to negotiate with the hackers—strongly indicating that a ransom was paid. However, PowerSchool has refused to disclose the amount paid or the hacker’s original demand.
Is the Stolen Data Really Deleted?
PowerSchool claims it does “not anticipate the data being shared or made public” and believes the stolen information has been deleted. However, the company has declined to provide evidence supporting this claim.
Reports suggest that PowerSchool may have received video proof of deletion, but the company has refused to confirm this. Cybersecurity experts warn that proof of deletion does not guarantee that hackers do not retain copies of the data.
The recent takedown of the LockBit ransomware gang revealed that they continued to store victim data even after payments were made, raising concerns about PowerSchool’s ability to verify complete deletion.
Who Is Behind the PowerSchool Hack?
One of the biggest unknowns is the identity of the hacker or group responsible. While PowerSchool has acknowledged communication with the hacker, it has refused to reveal any details about their identity.
CyberSteward, the Canadian cybersecurity firm that assisted PowerSchool in negotiations, did not respond to TechCrunch’s questions regarding the attacker’s identity.
CrowdStrike Report Leaves Key Security Questions Unanswered
The forensic analysis from CrowdStrike confirmed that the breach stemmed from a compromised credential, but it failed to explain how the hacker initially acquired this credential.
Mark Racine, CEO of the Boston-based edtech consulting firm RootED Solutions, called the report “underwhelming”, stating that it provides some details but does not offer enough information to fully understand what went wrong.
How Long Was PowerSchool Compromised?
The CrowdStrike report uncovered new information suggesting that PowerSchool’s systems were accessed as early as August 16, 2024. The hacker used the same compromised credential to access PowerSchool’s PowerSource customer support portal, which was later exploited in December’s breach.
Due to insufficient logging, CrowdStrike could not determine whether the August breach and December breach were carried out by the same attacker. However, findings indicate that PowerSchool may have been compromised for months before the breach was detected.
Ongoing Concerns About PowerSchool’s Security
This breach raises serious concerns about PowerSchool’s cybersecurity measures, particularly its lack of multi-factor authentication and the failure to detect unauthorized access for months.
As schools, parents, and students continue to deal with the consequences of this massive breach, unanswered questions persist. With millions of sensitive records at stake, transparency and stronger security measures are essential to preventing future incidents.
