The hacker who breached education tech giant PowerSchool claimed in an extortion demand that they stole the personal data of 62.4 million students and 9.5 million teachers.
PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that provides tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.
On January 7th, PowerSchool disclosed that it suffered a cyberattack after a threat actor used stolen credentials to access the company’s PowerSource customer support portal.
Using this access, the threat actor utilized a customer support maintenance access tool to download student and teacher data from districts’ PowerSIS databases.
As first reported and seen by BleepingComputer, an FAQ stated that sensitive information, such as Social Security Numbers, medical information, and grades, was stolen for a subset of students impacted by the breach.
This FAQ also stated that PowerSchool paid a ransom to prevent the stolen data from being leaked privately, seeing a video of the threat actor claiming to delete the data.
While the company showed more transparency in the private customer FAQ than other security disclosures, they still have not provided specific numbers as to how many students and teachers were impacted by the breach, frustrating parents, teachers, and school administrators who have spoken to BleepingComputer.
However, BleepingComputer has received information that sheds more light on the impact of this breach.
Over 62 million students impacted
According to multiple sources, the threat actor behind the PowerSchool attack claimed to have stolen the data of 6,505 school districts in the US, Canada, and other countries in an extortion demand to the company.
In total, BleepingComputer was told that the PowerSchool data breach impacted 62,488,628 students and 9,506,624 teachers.
In the information seen by BleepingComputer, the largest districts allegedly impacted by the PowerSchool breach are:
| District Name | Students Impacted | Teachers Impacted |
|---|---|---|
| Toronto District School Board | 1,484,733 | 90,023 |
| Peel District School Board | 943,082 | 39,693 |
| Dallas Independent School District | 787,212 | 79,718 |
| Calgary Board of Education | 593,518 | 133,677 |
| Memphis-Shelby County School | 485,087 | 54,501 |
| San Diego Unified | 472,278 | Possibly not stolen |
| Charlotte-Mecklenburg Schools | 467,974 | 57,486 |
| Wake County Public School | 461,005 | 92,783 |
It should be noted that the numbers for Canadian school boards tend to be larger than US school districts as the boards govern all of the schools in a specific region in Canada.
While PowerSchool would not comment on specific numbers as its investigation is still ongoing, they did stress to BleepingComputer that the type of data exposed in the data breach varies per district.
PowerSchool says that school districts decide what information is stored in the SIS database based on their district or State policy requirements. For this reason, it is expected that less than a quarter of impacted students had their Social Security Number exposed in the breach.
The company also said that they have both cloud-based and on-premise PowerSchool SIS customers. For those districts self-hosting their databases, the data review is more complicated as they require the district to share information for analysis.
In response to questions about our reporting, PowerSchool shared the following statement with BleepingComputer.
“We understand we have a very large customer base on PowerSchool SIS, but we do feel it important to highlight that we expect the majority of involved individuals – in fact more than three quarters – did not have social security numbers exfiltrated. We are receiving many questions about what type of data was involved and it is difficult to make broad brush statements because the answer varies by individual customer and is dependent on customer choice and on state or district policies and requirements.
We care deeply about the students, teachers, and families we serve and are wholeheartedly committed to supporting them. PowerSchool will be offering two years of complimentary identity protection services and two years of complimentary credit monitoring services for all applicable students and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated (meaning, we are doing this regardless of whether or not we are required to by regulation). We will also be making notifications on our customers’ behalf to state attorneys general offices, educators, students, parents, and other impacted stakeholders. We sincerely hope to relieve the burden of these notifications on our customers and their institutions.”
❖ PowerSchool
PowerSchool says they will offer 2 years of free identity protection and credit monitoring services for all impacted students and educators.
The company will also send data breach notifications on behalf of customers to State Attorney General’s offices and those impacted. A timeline as to when this will happen is unclear.
Furthermore, PowerSchool promised to release an incident report based on CrowdStrike’s investigations on January 17th, but that date has passed without a report being published.
When asked when the report would be available, PowerSchool said CrowdStrike is still working to finalize the forensic report, which will be made available to customers when completed.
In the interim, PowerSchool has posted an update to its customer-only FAQ, saying customers can receive a confidential CrowdStrike fact sheet on what is known so far.
PowerSchool also set up a dedicated public website that those impacted can monitor for further updates.