Several U.S. school districts have revealed that a recent cyberattack on education technology provider PowerSchool exposed “all” historical student and teacher data stored in their systems, according to reports shared with TechCrunch.
PowerSchool, a leading school records software platform supporting over 60 million students nationwide, fell victim to an attack in December. Hackers reportedly accessed the company’s customer support portal using stolen credentials, exposing sensitive data from K-12 schools. The breach has yet to be linked to a specific hacker or group.
While PowerSchool has not disclosed how many districts were impacted, sources at affected schools confirmed the attackers gained access to vast amounts of data.
“In our case, they got all historical student and teacher data,” one school district representative told TechCrunch. The representative noted discrepancies in PowerSchool’s timeline, suggesting the attackers had access earlier than reported.
Another source from a district serving nearly 9,000 students said, “The attackers accessed demographic data for all teachers and students, both active and historical, as long as we’ve had PowerSchool.” This source criticized PowerSchool for lacking basic security measures like multi-factor authentication (MFA).
PowerSchool spokesperson Beth Keebler neither disputed these claims nor elaborated on the company’s security practices. She confirmed that MFA is used but provided no further details.
Widespread Impact Across School Districts
School districts such as Menlo Park City School District in California confirmed the breach affected data on all students and staff, including historical records dating back to 2009. Other districts have reported similar breaches involving personal information, Social Security numbers, and teacher credentials.
Educational technology consultant Mark Racine noted that the breach may extend beyond PowerSchool’s 18,000 current customers, potentially impacting former clients. In some cases, the number of affected individuals reportedly exceeds active enrollment figures by four to ten times.
PowerSchool stated it has “identified the schools and districts whose data was involved” and is working to determine which individuals were affected. While the company claims to have taken steps to prevent further dissemination of the stolen data, it declined to specify these measures.
“While our data review remains ongoing, we expect the majority of involved customers did not have Social Security numbers or medical information exfiltrated,” Keebler told TechCrunch.
The breach has raised serious concerns about data security in education, with calls for improved safeguards to protect sensitive information from future attacks.