PowerSchool, a leading US edtech company, has confirmed that a December 2024 data breach resulted in the theft of personal and sensitive data of approximately 16,000 students in the United Kingdom. The company began notifying affected individuals outside of the US and Canada this week, shedding light on the extent of the breach's international impact.

The incident, first reported in January, involved hackers accessing the personal data of millions of students and teachers by exploiting compromised credentials to breach PowerSchool's customer support portal. While the company has not disclosed the total number of international students affected, it has confirmed that four schools in the UK were impacted, with hackers accessing students' contact information, dates of birth, limited medical data, and "other related information".

In a letter to affected individuals, PowerSchool stated that the data accessed varied across its customer base. Notably, the company declined to name the UK schools impacted by the incident, citing unspecified reasons. Furthermore, PowerSchool's incident page, which was offline at the time of publication, revealed that the company would not be offering credit monitoring services to data breach victims outside of the US and Canada.

The UK's Information Commissioner's Office (ICO) has not received a data breach report from PowerSchool, according to Lucy Milburn, an ICO spokesperson. PowerSchool claims this is because it "does not act as a data controller" under UK data protection law, a claim that has raised questions and prompted further inquiry from TechCrunch.

Despite confirming the extent of the breach's impact on UK students, PowerSchool has yet to disclose the total number of individuals affected globally. Reports suggest that the breach may have impacted the personal and sensitive data of over 62 million students and 9.5 million teachers, although the company has neither confirmed nor denied this figure. PowerSchool's technology is used by more than 60 million students, according to its website.

The implications of this breach are far-reaching, with potential consequences for student privacy, data security, and the edtech industry as a whole. As the full extent of the breach remains unclear, it is essential for PowerSchool to provide transparency and accountability to affected individuals and the broader education community.

TechCrunch continues to investigate this story and invites anyone with additional information about the PowerSchool data breach to come forward. Confidential tips can be shared securely with Carly Page on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.