PowerSchool, a leading software provider in K-12 education, suffered a data breach in late December that affected thousands of students’ accounts nationwide.
More than 50 million students and 18,000 customers in over 90 countries use PowerSchool. School districts rely on PowerSchool servers to store student’s grades, report cards, attendance and test scores. MCPS, a PowerSchool user, confirms that its data was not affected by the cyberattack.
The cyberattack began on Dec. 19, allowing unauthorized individuals to access and obtain students’ personal data. PowerSchool discovered the breach in its Student Information System on Dec. 28, revealing that hackers had stolen data through PowerSource, one of the company’s portals. The company confirmed that the breach exposed a group of students’ social security numbers, medical data and addresses.
PowerSchool notified the impacted school districts about the breach Jan. 7, almost two weeks after discovering the hack. In a public letter, PowerSchool outlined the steps they took to address the situation and support their customers.
“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team,” PowerSchool wrote. “We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information.”
Hackers and cyberattacks increasingly target educational institutions. A Malwarebytes report revealed a 92% spike in ransomware attacks on K-12 education in 2023. In 2023, ransomware attacks on education peaked, averaging 21 monthly attacks. Globally, the U.S. accounted for 80% of these attacks, while the UK reported 12%. Though PowerSchool said that its breach was not a ransomware attack, this trend is still indicative of the larger issue of hackers targeting educational software platforms.
Some reports suggest the PowerSchool breach may be worse than initially believed. TechCrunch cited an unnamed source claiming that hackers stole all historical and active data, including demographic information of students and teachers. PowerSchool has not yet disclosed how many districts were affected, but several school districts, including those in Massachusetts, are making statements, advising parents to protect their children’s information.
“Boston cybersecurity expert Robert Siciliano recommends all parents freeze their child’s credit — regardless of whether they were directly impacted by the breach,” WCVB said. “He also suggested investing in identity theft protection.”
While PowerSchool hasn’t experienced an incident to this extent before, MCPS suffered its separate data breach in 2019 through Naviance, which exposed personal data including SAT and ACT scores, GPAs and identity information of nearly 6,000 students across six MCPS schools.
Whitman’s information technology (IT) system specialist, Helen Ward, said MCPS was lucky they weren’t involved in the PowerSchool crisis, and it will only prepare the company for the future.
“It’s a good thing for MCPS that we did not get hacked,” Ward said. “It’s going to make PowerSchool stronger and better able to handle attacks in the future.”
USA Today said that the company believes that all the downloaded and stolen data has been destroyed. In PowerSchool’s letter to the public, they wrote about the steps they will take moving forward.
“We take our responsibility to protect student, family, and educator data privacy extremely seriously,” PowerSchool wrote. “We apologize for any concern this incident may cause you and are working hard to provide you with timely updates.”