The recent hack of U.S. edtech giant PowerSchool has the potential to be one of the biggest breaches of the year, with millions of student records potentially exposed. PowerSchool, which provides K-12 software to over 18,000 schools, confirmed the breach in early January, stating that hackers used compromised credentials to breach its customer support portal, allowing further access to the company's school information system, PowerSchool SIS.

The California-based company, acquired by Bain Capital for $5.6 billion in 2024, has been open about some aspects of the breach. However, a number of important questions remain unanswered, leaving millions of students and teachers vulnerable. PowerSchool spokesperson Beth Keebler told TechCrunch that the PowerSource portal, which did not support multi-factor authentication at the time of the incident, was breached, but declined to answer further questions, stating that all updates related to the breach would be posted on the company's incident page.

Despite the lack of transparency, sources have revealed that the breach could be "massive," with Bleeping Computer reporting that the hacker allegedly accessed the personal data of over 62 million students and 9.5 million teachers. While PowerSchool has repeatedly declined to confirm this number, the company's recent filings with state attorneys general suggest that millions had personal information stolen in the breach. In a filing with the Texas' attorney general, for example, PowerSchool confirms that almost 800,000 state residents had data stolen.

Communications from breached school districts give a general idea of the size of the breach. The Toronto District School Board (TDSB), Canada's largest school board, said that the hacker may have accessed some 40 years' worth of student data, with the data of almost 1.5 million students taken in the breach. Similarly, California's Menlo Park City School District confirmed that the hacker accessed information on all current students and staff, as well as students and staff dating back to the start of the 2009-10 school year.

One of the biggest concerns is the lack of information about the types of data stolen. PowerSchool has confirmed that the hacker stole "sensitive personal information" on students and teachers, including students' grades, attendance, and demographics. However, the company's incident page also states that stolen data may have included Social Security numbers and medical data, but says that "due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base."

Sources have also revealed that PowerSchool has provided affected schools with a "SIS Self Service" tool that can query and summarize PowerSchool customer data to show what data is stored in their systems. However, PowerSchool told affected schools that the tool "may not precisely reflect data that was exfiltrated at the time of the incident." It is unclear if PowerSchool has its own technical means, such as logs, to determine which types of data were stolen from specific school districts.

Another unanswered question is whether PowerSchool paid the hacker responsible for the breach. The company told TechCrunch that it worked with a cyber-extortion incident response company to negotiate with the threat actors responsible for the breach, but refused to say how much it paid or how much the hacker demanded.

Furthermore, PowerSchool has stated that it "does not anticipate the data being shared or made public" and that it "believes the data has been deleted without any further replication or dissemination." However, the company has repeatedly declined to say what evidence it has received to suggest that the stolen data had been deleted, raising concerns about the effectiveness of the company's response to the breach.

The identity of the hacker responsible for the attack remains unknown, with PowerSchool refusing to reveal their identity, if known. The results of CrowdStrike's investigation into the breach also remain a mystery, with the security firm's findings yet to be released, despite promises to do so by mid-January.

The PowerSchool hack highlights the vulnerabilities of the education sector to cyberattacks, and the need for greater transparency and accountability from companies handling sensitive student data. As the investigation continues, millions of students and teachers remain vulnerable, and the full extent of the breach remains to be seen.