PowerSchool reports data breach, exposes student, teacher data

PowerSchool, a major education software provider serving over 60 million students and 18,000 customers worldwide, is reporting a data breach affecting their PowerSchool SIS (Student Information System) platform.

The incident was discovered on December 28, 2024, when unauthorized access was detected through their PowerSource customer support portal.

The threat actors gained access using compromised credentials to infiltrate PowerSource, a community-focused customer support portal. They utilized an "export data manager" maintenance tool typically reserved for PowerSchool engineers to access customer SIS instances for support and troubleshooting. The attackers leveraged this tool to export and steal 'Students' and 'Teachers' database tables in CSV format.

Exposed Data Types:

• Names and contact information
• Social Security Numbers (SSNs)
• Personally Identifiable Information (PII)
• Medical information
• Student grades and academic records

The exact number of affected individuals has not been disclosed. PowerSchool claims that customer tickets, credentials, and forum data were not compromised in the breach.

Update - As of 22nd of January 2025, the hackers claim to have compromised over 71 million people

• 62,488,628 students affected
• 9,506,624 teachers affected
• 6,505 school districts across US, Canada, and other countries

The Toronto District School Board reports that the data breach goes back to 1985, potentially impacting 1.49 million students.

The North Carolina Department of Public Instruction reports that about 312,000 North Carolina teachers’ social security numbers were exposed.

The Rochester City School District says a data breach exposed more than 130,000 student and staff records.

As of 24th of January 2025, the total count of impacted Canadian students across multiple school boards including Toronto and Peel districts rises to 2.4 million, Since that is the approximate total number of students in those districts, it seems that the entire North American claimed to be 62 million students and 9.5 million teachers is real since that's the total estimated number of individuals processed through the PowerSchool system.

As of 5th of February 2025, the Winston-Salem/Forsyth County Schools reports that the incident exposed data of 150,000 current/former students and 28,000 staff members, with 16,000 staff having their social security numbers compromised.

As of 7th of February 2025, PowerSchool confirmed that four schools in the U.K. were affected, with hackers accessing the data of “approximately 16,000 students." On the same day the Texas Attorney General's office reports that the PowerSchool Group LLC data breach possibly exposed 790,362 Texans.

As of 12th of February 2025, school districts in Idaho have estimated approximately 425,000 student records that have potentially been impacted and approximately 80,000 staff records.

At least 23 lawsuits seeking class-action status have been filed against PowerSchool following the massive data breach.

PowerSchool engaged multiple cybersecurity firms, including CrowdStrike, to investigate and contain the incident. Key actions taken include: rotating passwords for all PowerSource customer support portal accounts, stricter password policies and have paid an undisclosed ransom amount to prevent data release.

PowerSchool is offering credit monitoring for affected adults and identity protection services for impacted minors

The investigation remains ongoing, with CrowdStrike expected to release a final report by January 17, 2025. School districts can verify potential compromise by checking their ps-log-audit files for a maintenance user named "200A0" and reviewing mass-data export logs. Some customers have reported identifying suspicious exports from Ukrainian IP addresses on December 22, 2024.

Update - PowerSchool has not disclosed the total number of affected schools but multiple organizations have confirmed the extensive nature of the breach. The breach affected both current and historical data, so schools that previously used PowerSchool but are no longer customers were also impacted. The data exposure spans the entire duration of schools' PowerSchool usage.

Although this was not a ransomware attack, PowerSchool opted to pay the attackers to allegedly have the stolen data deleted. There is no guarantee the data was actually destroyed or wasn't copied before deletion.

As of 10th of March 2025, according to CrowdStrike's investigation, an unauthorized actor initially accessed PowerSchool's network between August 16 and September 17, 2024, several months before the reported disclosed breach period. PowerSchool originally reported that the unauthorized access occurred only between December 19 and December 28, 2024, when the compromise was discovered.

As of 29th of March 2025, at least four Alaska school districts report that their students and staff are impacted including Juneau School District, Lower Kuskokwim School District (LKSD), Nome Public Schools, and the Bering Strait School District (BSSD).

As of 5th of April 2025, several school districts in Minnesota and Wisconsin report being affected, including Rock Ridge Public Schools, School District of Superior, Proctor Public Schools, Cromwell-Wright Public School and Harbor City International School (a Duluth charter school).

As of 18th of August 2025, Robertson County Schools reports that they have been affected by the incident.