PowerSchool data breach: What to know, how students are impacted

PowerSchool, a software provider popular at K-12 schools, was the target of a data breach in late December that affected many districts in the U.S. and in other countries, according to the company and several impacted schools. 

Schools weren’t widely notified until more than two weeks after the breach occurred. Names, addresses, birth dates and Social Security numbers were among the information hackers obtained using a user's credentials to log into a customer service portal.

The incident comes at a time when cyberattacks and online threats “are an increasingly significant and widespread problem” for schools in the U.S., the federal government says. Between 2016 and 2022, there were 1,619 cyber incidents that struck K-12 schools nationwide, according to the nonprofit K12 Security Information Exchange, which helps schools protect themselves from online threats. In roughly that same period, schools in nearly every state were victims of cyberattacks.

Much is still unknown about the extent of the latest data breach. Here’s what the company and schools have said about it: 

When did the breach happen? Who was affected?

Unauthorized access to the software company’s platforms began on Dec. 19 and ended on Dec. 28, according to multiple school districts. Hackers used a PowerSchool remote support tool to access the data of many districts. It remains unclear how many. 

The company targeted, PowerSchool Holdings, Inc., has clients that serve over 60 million students and more than 18,000 customers in nearly 100 countries.

Who was behind the attack?

PowerSchool is working with the Federal Bureau of Investigation and CrowdStrike, a cybersecurity firm, to uncover who was behind the breach, several school districts said. 

Read more: Day of chaos: How CrowdStrike outage disrupted 911 dispatches, hospitals, flights

“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts,” the company said in a statement on Monday.

What happened to the data? 

An update from Utah Schools for the Deaf and Blind, which was impacted by the cyberattack, provided a glimpse into the types of data hackers accessed. Some of the more unique details the school said were tapped in the breach included students' lunch balances, free and reduced meal statuses, and their locker numbers and combinations. Information about students with medical alerts was also pulled. 

The Utah school stressed that because it doesn't store Social Security numbers in PowerSchool, that data wasn't stolen. Other schools weren't as lucky: Randolph Public Schools just south of Boston said the Social Security numbers and birth dates of staff were stored in the portion of the system that was compromised. 

“PowerSchool has indicated that they believe all the data that was downloaded has been destroyed at this time,” the school said in an information webpage. 

Soldier mom's surprise reunion with daughter in mascot costume steals the show

Harmonee's cheer night turned emotional when her Army mom, Alissa Guzman, surprised her in a mascot suit after a 4-month deployment in Woodbridge, VA.

What now?

In a statement Monday, the California-based company said it wasn't experiencing disruptions and was still providing its services “as normal” to customers. 

“PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously,” the software provider said. 

Some districts have expressed frustration with PowerSchool about how it has handled communication with customers since the breach. Officials at the Hurley School District in Wisconsin said in a Facebook post last week that they were informed that PowerSchool interacted with the individual responsible for taking the data and they “were confident it was then destroyed.” 

“Although that brings little satisfaction or relief to those impacted, it’s what we have been told and all the information we have at this time,” they wrote. “As we know more, so will you, and we will continue pressing PowerSchool for answers.”

Zachary Schermele is an education reporter for Paste BN. You can reach him by email at zschermele@usatoday.com. Follow him on X at @ZachSchermele.