UPDATE: A new report from Bleeping Computer claims a hacker stole the data of 62.4 million students and 9.5 million teachers, though PowerSchool did not confirm or deny those numbers.
"We cannot confirm precise numbers because our data review process is still ongoing," a company representative tells PCMag.
The PowerSchool website advertises that it has data from 60 million students. Bleeping Computer lists some of the largest districts affected: Toronto District School Board (1,484,733 students), Peel District School Board (943,082), Dallas Independent School District (787,212), Calgary Board of Education (593,518), and the Memphis-Shelby County School (485,087), from which we quoted a parent in the original article below.
PowerSchool is also light on details about what data was stolen. "We are receiving many questions about what type of data was involved, and it is difficult to make broad brush statements because the answer varies by individual customer and is dependent on customer choice and on state/district/regional policies and requirements," it says.
Original Story (1/16):
Education technology giant PowerSchool has confirmed a data breach that may have exposed information on millions of schoolchildren, putting them at risk of identity theft.
PowerSchool has over 18,000 clients, covering 75% of K-12 students across North America and 60 million in the US, TechCrunch reports. It is a public company, acquired by Bain Capital in 2024 for $5.6 billion.
At the Memphis-Shelby School District in Tennessee, a PowerSchool account is required to enroll, according to Fox13 Memphis. "We don't get a choice," one parent says. "If that information can be leaked out, that's serious."
The threat actor accessed PowerSchool's Student Information System (SIS) in December with stolen credentials. They then forced PowerSchool to pay a ransom for the data, in exchange for a video of them deleting it. "There is no guarantee that this was fully effective," according to the New Jersey Cybersecurity and Communications Integration Cell. "As a precaution, PowerSchool is monitoring the dark web for any potential leaks."
PowerSchool has decided not to disclose the full list of schools and number of students affected. Instead, it notified districts individually via email. Its CEO Hardeep Gulati also seems to have hosted a webinar with the affected schools.
"We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available," PowerSchool said in a statement.
School IT administrators are scrambling to confirm the data exposed in their district, prompting one to post instructions on Reddit for how to do so. At least one administrator commented on the thread that all current and historical records were included in the breach, including from students who may have graduated years ago; TechCrunch reports the same.
According to PowerSchool, "the data impacted may vary in volume and sensitivity by school district." Some schools use the software for only "grades and parent contact information," according to one teacher on Reddit. Others have more extensive data collection. PowerSchool confirmed the hack included highly sensitive data, though it says "we expect the majority of involved customers did not have sensitive information, including Social Security numbers or medical information, involved."
Below is an example of the data collected from the Rancho Santa Fe District in California, per its public disclosure.
Schools Affected by the PowerSchool Data Breach (So Far)
Districts in many states and provinces are coming forward to notify their communities. Here are some that we know of so far, and counting. Investigations in each district appear to be ongoing, in partnership with PowerSchool.
PCMag reached out to PowerSchool for a full list, which it declined to provide. We also asked the US Cybersecurity and Infrastructure Security Agency (CISA) and a spokesperson said: "We’re going to refer you to PowerSchool for responses to your questions."
If your district has been affected, let us know in the comments.
- Alabama: Alabaster City Schools, Hoover City Schools (source)
- California: Rancho Santa Fe School District, Ramona Unified School District (source), San Diego Unified School District (source)
- Chicago, IL: Burbank School District 11, Oswego Community Unit School District 308, Bremen High School District 228, Community Consolidated School District 146, Mundelein High School District 120, Lake Forest Districts 67 and 115, Beach Park District 3, Harvey School District 125, Lake Ridge New Tech School Corporation (Gary, Indiana), Lincolnshire–Prairie View School District 103, North Chicago School District 187, Prospect Heights School District 23, Zion Elementary District 6 (source)
- Connecticut: Windsor Locks, Coventry, Bolton, Enfield, East Hartford, Danbury, Milford, Wallingford, and Regional School District 16 (source)
- Georgia: Lanier County Schools (source)
- Kansas: Russell County USD 407 (source)
- Long Island, NY: Jericho, Hicksville, Glen Cove, West Hempstead, Lynbrook, Middle Country, Massapequa, Smithtown Central, Nassau BOCES, and Uniondale (source)
- Manitoba, Canada: 80% of districts (source)
- Maryland: Frederick County Public Schools (source)
- Massachusetts: Lenox Public Schools (source)
- North Carolina: All public schools (source)
- Nebraska: Sargent, Burwell, Sandhills, Sumner-Eddyville-Miller and Stapleton (source)
- Oklahoma: Mustang School District, Enid Public Schools (source)
- Oregon: Baker School District (source)
- Pennsylvania: Carlisle Area School District, Middletown Area School District and Williamsport Area School District (source)
- South Carolina: Laurens County School District 56 (source)
- Tennessee: Memphis-Shelby County Schools (source)
- Texas: Dallas ISD (source)