
About PowerSchool
PowerSchool, a global leader in cloud-based software for K-12 education, provides tools to support school administration, teaching, learning, and student information management. Used by over 60 million students and 18,000 educational customers in more than 90 countries, this breach highlights the critical need for robust data protection and privacy measures in schools.
What happened: Facts of the Case
On December 28, 2024, PowerSchool announced that a malicious actor gained unauthorized access to their global data systems through compromised credentials. This breach occurred via the PowerSource remote support tool between December 19, 2024, and December 28, 2024, resulting in the sensitive personal information of students, staff, and families across multiple countries being compromised.
According to the notifications, the unauthorized access enabled the malicious actor to download sensitive personal data from PowerSchool’s Student Information System. The compromised information included names, addresses, phone numbers, email addresses, student IDs, birthdates, staff ID numbers, social security numbers, grades, and medical information1, 2.
While this was not a ransomware attack, a message to parents from a school, as reported by NBC 26, said that PowerSchool paid a ransom to the malicious actor to prevent the data from being released.3 PowerSchool do not anticipate the data being shared or made public, and they believe that the personal data has been deleted without any further replication or dissemination.
Key Actions Taken
PowerSchool has deactivated the compromised credential, restricted all access to the affected portal, implemented a full password reset and tightened password and access control requirements for all PowerSource customer support portal accounts.4
PowerSchool said that it will be notifying all impacted individuals in the coming weeks. They will also be providing free credit monitoring for affected adults and identity protection services for affected minors, in accordance with regulatory and contractual requirements.
Key Analysis and Recommendations
Residual Risks and Data Misuse: Given the nature and unpredictability of such entities, there is no absolute guarantee that the data will not be misused or sold. it would be imprudent to assume otherwise.
Ensure Compliance with Data Protection Laws: Despite this being a breach by PowerSchool, schools remain ultimately accountable. Schools must demonstrate compliance with their jurisdiction’s data protection laws regarding data breach requirements to avoid further legal violations.
Feel free to reach out to us for a conversation!
About Pristine Privacy
Pristine Privacy Consulting Pte Ltd is a leading boutique data protection and privacy specialist in the education sector and international schools across Asia. We have extensive experience helping international schools globally develop their data protection and privacy programs, conduct risk assessments, provide compliance training, plan for incident response, handle data incidents and breaches, and liaise with data protection authorities. We can help your school adopt best practices and meet the required legal obligations in your country.
- https://www.randolph.k12.ma.us/news/1802130/cybersecurity-memorandum-powerschool-data-breach ↩︎
- https://www.fastcompany.com/91257984/powerschool-data-security-breach-hackers-steal-student-social-security-numbers-medical-information-what-to-know ↩︎
- https://www.nbc26.com/suamico/school-district-claims-software-company-paid-ransom-after-cybersecurity-breach#google_vignette ↩︎
- https://www.infosecurity-magazine.com/news/powerschool-pays-ransom-data-leak/ ↩︎