Students, Educators Impacted by PowerSchool Data Breach – Source: www.securityweek.com

California-based education tech giant PowerSchool is notifying students and educators that their personal information was compromised in a December 2024 data breach.

The incident, the company says, was identified on December 28 and only involved its Student Information System (SIS) environments, which were accessed through the PowerSource community-focused customer support portal.

According to PowerSchool, the incident did not cause operational disruption and no other products beyond PowerSchool SIS were affected.

“We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment,” the company says in an incident notice on its website.

The data breach led to personal information such as names, contact details, dates of birth, medical information, Social Security numbers, and other related information being compromised. According to the company, no credit card or banking information was affected.

PowerSchool says that the types of compromised information may differ from individual to individual, and that every affected person will receive a notification containing specific information on how the incident impacted them.

The company initially disclosed the incident to the SIS community on January 7, and shared additional details on Friday, when it announced that impacted individuals are provided with two years of free identity theft and credit monitoring services.

PowerSchool provides K-12 software and cloud-based solutions for school operations in more than 90 countries globally, working with over 18,000 schools and districts and supporting more than 60 million students.

The company has not shared information on how many individuals or schools might have been affected by the data breach, but many of its customers already confirmed being impacted by the incident.

In Virginia, where at least 85 districts use PowerSchool, the Charlottesville, Fluvanna, Richmond, Russell, and Tazewell counties said they were impacted, while Fairfax County Public Schools said it was not affected by the incident, as it does not use PowerSchool SIS.

In California, Menlo Park City School District said roughly 14,000 individuals were affected, including “all current students and staff, as well as students who enrolled in MPCSD from the start of the 2009-2010 school year and many staff who worked in MPCSD from the start of the 2009-2010 school year”.

The Rancho Santa Fe School District notified the California Attorney General’s Office that its students and teachers were affected by the data breach.

Numerous school boards and schools in Canada, including Toronto District School Board, have been affected as well, and Privacy Commissioner of Canada Philippe Dufresne said on Monday that his office was looking into the matter.

“My Office is in contact with the company to obtain more information about this breach and to provide them with information about breach response and reporting requirements under privacy legislation. This will allow us to convey our expectations to the company regarding their response to the breach and to determine next steps,” Dufresne said.

PowerSchool reportedly told customers that compromised credentials were used to access its portal and export student and educator data. It also said that the data was deleted and will not be disseminated, suggesting that the company was targeted in a ransomware attack and a ransom was paid.

SecurityWeek has emailed PowerSchool for additional information on the data breach and will update this article as soon as a reply arrives.

Related: UK Considers Banning Ransomware Payment by Public Sector and CNI

Related: K-12 Schools Improve Protection Against Online Attacks, but Many Are Vulnerable to Ransomware Gangs

Related: Most Hood Plants Up After Cyber ‘Event,’ Schools Concerned

Related: Jackson Public Schools Ups Cybersecurity After Hacker Attack