PowerSchool Faces Cybersecurity Breach: A Closer Look at the Incident
In a recent turn of events, education technology leader PowerSchool has informed its clients about a significant “cybersecurity incident” that exposed sensitive data of students and teachers in K-12 school districts across the United States. Based in California, PowerSchool was acquired by Bain Capital for a staggering $5.6 billion in 2024. It stands as the largest provider of cloud-based education software for K-12 education in the U.S., catering to more than 75% of students across North America, as stated on their website.
According to PowerSchool, their software supports over 16,000 customers, facilitating the educational journey of more than 50 million students nationwide. A letter sent to affected customers, which surfaced in a local news report, revealed that on December 28, hackers breached the company’s PowerSource customer support portal. This breach led to unauthorized access to the company’s school information system, PowerSchool SIS, widely used for managing student records, grades, attendance, and enrollment.
- Compromised credential used by hackers
- Unspecified data types and number of individuals affected
- No response from PowerSchool or Bain Capital regarding inquiries
“The nature of the cyberattack remains unknown,” reports Bleeping Computer. Though not a ransomware attack, PowerSchool admitted to being extorted into paying a financial sum to prevent data leakage.
{Bleeping Computer}
The breach exposed names and addresses, with potential access to Social Security numbers, medical information, grades, and other personally identifiable information. The exact financial sum paid by PowerSchool remains undisclosed.
Adding fuel to the fire, PowerSchool is currently embroiled in a class-action lawsuit filed in November 2024. The lawsuit accuses the company of illegally selling student data without consent for commercial purposes. Allegedly, the company amasses “345 terabytes of data collected from 440 school districts,” under misleading terms of service.
“PowerSchool collects this highly sensitive information under the guise of educational support but in fact collects it for its own commercial gain,” while hiding behind “opaque terms of service such that no one can understand,” claims the lawsuit.
{Lawsuit Excerpt}
This incident serves as a stark reminder of the vulnerabilities inherent in digital educational platforms and the paramount importance of robust cybersecurity measures to protect sensitive information.
