The recent hack of U.S. edtech giant PowerSchool is on track to be one of the biggest education data breaches in recent years, with millions of students' personal information potentially compromised. The California-based company, which provides K-12 software to over 18,000 schools supporting 60 million students across North America, first disclosed the data breach in early January 2025.
According to PowerSchool, an unknown hacker used a single compromised credential to breach its customer support portal in December 2024, gaining further access to the company's school information system, PowerSchool SIS. The system is used by schools to manage student records, grades, attendance, and enrollment. While PowerSchool has been open about some aspects of the breach, several important questions remain unanswered months on.
TechCrunch sent PowerSchool a list of outstanding questions about the incident, which potentially affects millions of students. However, PowerSchool spokesperson Beth Keebler declined to answer the questions, saying that all updates related to the breach would be posted on the company's incident page. On January 29, the company said it began notifying individuals affected by the breach and state regulators.
Many of PowerSchool's customers also have outstanding questions about the breach, forcing those affected to work together to investigate the hack. In early March, PowerSchool published its data breach post-mortem, as prepared by CrowdStrike, two months after PowerSchool customers were told it would be released. While many of the details in the report were known, CrowdStrike confirmed that a hacker had access to PowerSchool's systems as early as August 2024.
Despite the report, several key questions remain unanswered. PowerSchool hasn't said how many students or staff are affected, and the company has repeatedly declined to confirm or deny reports that the hacker accessed the personal data of more than 62 million students and 9.5 million teachers. PowerSchool's filings with state attorneys general and communications from breached schools suggest that millions of people likely had personal information stolen in the data breach.
The Toronto District School Board, Canada's largest school board, said the hacker may have accessed some 40 years' worth of student data, with the data of almost 1.5 million students taken in the breach. California's Menlo Park City School District also confirmed the hacker accessed information on all current students and staff, as well as students and staff dating back to the start of the 2009-10 school year.
PowerSchool also hasn't said what types of data were stolen, and the company's incident page states that stolen data may have included Social Security numbers and medical data. However, TechCrunch has heard from multiple schools affected by the incident that "all" of their historical student and teacher data was compromised, including highly sensitive student data such as information about parental access rights to their children, restraining orders, and information about when certain students need to take their medications.
Additionally, PowerSchool won't say how much it paid the hacker responsible for the breach, despite confirming that it worked with a cyber-extortion incident response company to negotiate with the threat actors. The company has also refused to say what evidence it has received to suggest that the stolen data has been deleted, and the hacker behind the data breach is not yet known.
The CrowdStrike forensic report leaves questions unanswered, and one person at a school affected by the breach told TechCrunch that the findings were "underwhelming." The report confirmed the breach was caused by a compromised credential, but the root cause of how the compromised credential was acquired and used remains unknown.
It's also not known exactly how far back PowerSchool's breach actually goes, with the CrowdStrike report revealing that a hacker had access to PowerSchool's network between August 16, 2024, and September 17, 2024. The access was gained using the same compromised credentials used in December's breach, and the hacker accessed PowerSchool's PowerSource, the same customer support portal compromised in December to gain access to PowerSchool's school information system.
As the investigation continues, many questions remain unanswered, and the full extent of the breach is still unknown. If you have more information about the PowerSchool data breach, TechCrunch would love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.