PowerSchool, a leading education technology company based in California, announced that a data breach in December 2024 compromised the personal information of students and educators. The breach, detected on December 28, specifically involved the company’s Student Information System (SIS), which attackers accessed via the PowerSource customer support portal.
Details of Compromised Information
The company stated that the breach did not disrupt operations and that no other products outside of PowerSchool SIS experienced any impact. In an incident notice on its website, PowerSchool reassured users, stating, “We have found no evidence that this incident affected other PowerSchool products or that malware or unauthorized activity continues in the PowerSchool environment.”
The compromised data includes sensitive information such as names, contact details, dates of birth, medical records, Social Security numbers, and other related information. However, PowerSchool confirmed that the breach did not involve any credit card or banking information.
Affected individuals will receive notifications detailing how the breach impacted their information, as the types of compromised data may vary from person to person. The company initially informed the SIS community about the breach on January 7 and provided further updates on January 12, including the offer of two years of free identity theft and credit monitoring services for those affected.
PowerSchool’s Actions Following the Incident
PowerSchool serves over 18,000 schools and districts across more than 90 countries, supporting more than 60 million students with its K-12 software and cloud-based solutions. While the company has not disclosed the total number of individuals or schools affected, several customers confirmed their involvement in the incident.
In Virginia, at least 85 school districts utilize PowerSchool, with several counties, including Charlottesville, Fluvanna, Richmond, Russell, and Tazewell, reporting impacts. Conversely, Fairfax County Public Schools stated it was not affected, as it does not use PowerSchool SIS.
In California, the Menlo Park City School District reported that approximately 14,000 individuals who have attended the district since the 2009-2010 school year were affected. The Rancho Santa Fe School District also informed the California Attorney General’s Office about how the breach impacted its students and teachers
Additionally, several school boards and institutions in Canada, including the Toronto District School Board, experienced impacts. Philippe Dufresne, Canada’s Privacy Commissioner, announced that his office is investigating the breach. “My office is in contact with the company to obtain more information about this breach and to provide them with information about breach response and reporting requirements under privacy legislation,” Dufresne stated.
Reports suggest that attackers used compromised credentials to access the PowerSchool portal and extract data related to students and educators. PowerSchool indicated that the company deleted the data and will not disseminate it, suggesting that attackers may have carried out a ransomware attack and potentially paid a ransom.
