PowerSchool, the largest provider of cloud-based education software for K-12 education in the US, has disclosed a "cybersecurity incident" that allowed hackers to access the personal data of students and teachers in K-12 school districts across the country. The California-based company, acquired by Bain Capital for $5.6 billion in 2024, serves over 75% of students in North America and supports more than 50 million students in the US through its software.

In a letter sent to affected customers on Tuesday, PowerSchool revealed that hackers successfully breached its PowerSource customer support portal on December 28, gaining further access to the company's school information system, PowerSchool SIS. The system is used by schools to manage student records, grades, attendance, and enrollment. According to the letter, the hackers gained access "using a compromised credential."

PowerSchool has not disclosed the types of data accessed during the incident or the number of individuals affected by the breach. Despite requests for information, neither PowerSchool nor Bain Capital have responded to questions from TechCrunch. The nature of the cyberattack remains unknown, with Bleeping Computer reporting that PowerSchool did not experience a ransomware attack but was extorted into paying a financial sum to prevent the hackers from leaking the stolen data.

According to an FAQ sent to affected users, PowerSchool confirmed that names and addresses were exposed in the breach, and the information may also include Social Security numbers, medical information, grades, and other personally identifiable information. The company did not disclose the amount paid to the hackers. This incident raises concerns about the security of sensitive student data and the potential consequences for those affected.

This is not the first time PowerSchool has faced scrutiny over its handling of student data. In November 2024, the company was sued in a class-action lawsuit alleging that it illegally sells student data without consent for commercial gain. The lawsuit claims that PowerSchool collects highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain, hiding behind "opaque terms of service such that no one can understand." The lawsuit alleges that PowerSchool's troves of student data total some "345 terabytes of data collected from 440 school districts."

The incident highlights the need for education technology companies to prioritize the security and privacy of student data. As the largest provider of cloud-based education software, PowerSchool has a responsibility to protect the sensitive information entrusted to it. The company's response to this incident will be closely watched, and it remains to be seen what measures will be taken to prevent similar breaches in the future.

The implications of this breach extend beyond PowerSchool, as it underscores the vulnerability of student data in the education technology sector. As EdTech companies continue to play an increasingly prominent role in education, it is essential that they prioritize the security and privacy of student data to maintain trust and ensure the integrity of the education system.