The recent hack of US edtech giant PowerSchool has the potential to be one of the biggest breaches of the year, with far-reaching implications for the education sector. PowerSchool, which provides K-12 software to over 18,000 schools, confirmed the breach in early January, stating that hackers used compromised credentials to breach its customer support portal, allowing further access to the company's school information system, PowerSchool SIS.

The California-based company, acquired by Bain Capital for $5.6 billion in 2024, has been open about certain aspects of the breach. According to PowerSchool spokesperson Beth Keebler, the PowerSource portal, which did not support multi-factor authentication (MFA) at the time of the incident, was compromised. However, several critical questions remain unanswered, leaving millions of students and educators in the dark.

Despite promises to share an incident report from cybersecurity firm CrowdStrike, which was hired to investigate the breach, several sources from impacted schools told TechCrunch that they have yet to receive the report. The company's customers are now forced to work together to investigate the hack, as PowerSchool has declined to provide further information.

One of the most pressing unanswered questions is the scale of the breach. While PowerSchool has identified the schools and districts whose data was involved, the company has refused to disclose the number of schools and individuals affected. Communications from impacted school districts, such as the Toronto District School Board and California's Menlo Park City School District, suggest that the breach may have accessed decades' worth of student data, including sensitive personal information like Social Security numbers, grades, demographics, and medical information.

The stolen data also includes highly sensitive student information, such as parental access rights, restraining orders, and medication schedules. PowerSchool has not disclosed how much data was accessed during the cyberattack or how much it paid the hackers responsible for the breach. The company has only confirmed that it worked with a cyber-extortion incident response company to negotiate with the threat actors.

Furthermore, PowerSchool has not provided evidence to suggest that the stolen data has been deleted, despite claims that it "believes the data has been deleted without any further replication or dissemination." The company's refusal to disclose the identity of the hackers responsible for the attack has only added to the uncertainty and concern surrounding the breach.

The PowerSchool hack serves as a stark reminder of the vulnerability of educational institutions to cyberattacks. As the education sector increasingly relies on technology to support learning, the need for robust cybersecurity measures and transparency in the event of a breach becomes more pressing than ever. With millions of students' data potentially at risk, it is imperative that PowerSchool and other edtech companies prioritize the security and privacy of their users.

If you have more information about the PowerSchool data breach, TechCrunch would love to hear from you. You can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.