A recent cyberattack on edtech giant PowerSchool has resulted in the exposure of "all" historical student and teacher data stored in the company's student information systems, according to sources at affected US school districts. The breach, which occurred in December, compromised PowerSchool's customer support portal using stolen credentials, allowing hackers to access reams of personal data belonging to students and teachers in K-12 schools.

PowerSchool, whose school records software supports over 50 million students across the United States, has not disclosed the number of affected school customers. However, two sources at affected school districts, who requested anonymity, told TechCrunch that the hackers accessed troves of personal data belonging to both current and former students and teachers. "In our case, I just confirmed that they got all historical student and teacher data," one source said, adding that while PowerSchool claimed the hackers had access to its data from late December, the district's logs show that the attackers had gained access earlier.

Another source, from a school district with almost 9,000 students, confirmed that the attackers accessed "demographic data for all teachers and students, both active and historical, as long as we've had PowerSchool." The source also criticized PowerSchool for not securing the affected system with basic protections, such as multi-factor authentication. When asked about the security controls, PowerSchool spokesperson Beth Keebler declined to discuss the matter, citing company policy.

Several school districts have publicly posted information about the breach, including the Menlo Park City School District, which confirmed that its historical data had been accessed. The California school district said the hackers accessed data on "all current students and staff," as well as data on students and staff dating back to the start of the 2009-2010 school year.

PowerSchool has identified the schools and districts whose data was involved but declined to publicly share the names of those affected. The company is still working to identify specific individuals whose data may have been accessed. According to a PowerSchool FAQ shared with customers, the stolen data includes individuals' names and addresses, Social Security numbers, some medical and grade information, and other unspecified personally identifiable information belonging to students and teachers.

The breach may also affect school districts that are former customers of PowerSchool, suggesting the scale of the breach could extend beyond the organization's 18,000 existing educational customers. Marc Racine, the chief executive of the Boston-based education technology consulting firm RootED Solutions, said in a blog post that some school districts are reporting the number of affected students in the range of four- to ten-times higher than the number of actively enrolled students in their district.

PowerSchool told TechCrunch that it has taken "appropriate steps" to prevent the stolen data from being published and believes the data has been deleted without any further replication or dissemination. However, the company did not provide specifics on what steps it took, and declined to say what evidence it had to suggest that the stolen data had been deleted.

The incident raises concerns about the security of sensitive student and teacher data in the edtech sector. As the investigation continues, affected school districts and customers are left to wonder about the extent of the breach and the potential consequences for those whose data was exposed.