Edtech giant PowerSchool has warned its customers that hackers accessed highly sensitive information, including student Social Security numbers, grades, and medical information, during a recent data breach. The breach, which was confirmed by PowerSchool on Wednesday, affects users of its school information system, which schools use to manage student records, grades, attendance, and enrollment.

According to an FAQ obtained by TechCrunch, the hackers broke into PowerSchool's internal customer support portal using a stolen credential, gaining access to sensitive personal information. While the stolen data primarily includes contact details, such as individuals' names and addresses, the hackers were also able to access Social Security numbers, medical information, and other unspecified personally identifiable information belonging to students and teachers.

The California-based education tech firm, the largest provider of cloud-based education software for K-12 education in the United States, says the personal information of parents and guardians, including names, phone numbers, and email addresses, was also potentially compromised in some school districts. The company emphasized that the types of stolen data will vary by customer.

PowerSchool spokesperson Beth Keebler confirmed the legitimacy of the information in the FAQ, but declined to say how many individuals are affected by the breach. The company's software is used by over 16,000 customers to support more than 50 million students across North America.

In the FAQ, PowerSchool confirmed that the security incident was not ransomware in nature, but noted that it worked with CyberSteward, a Canadian organization that offers cyber-extortion incident response services, to negotiate with the threat actors responsible for the breach. This confirms previous reporting that PowerSchool was the target of an extortion-only attack and that it paid a financial sum to prevent the hackers from publishing the stolen data.

PowerSchool declined to say what evidence it had to suggest that the stolen data had been deleted, when asked by TechCrunch on Thursday. CyberSteward did not respond to TechCrunch's questions. PowerSchool claims that it has taken all appropriate steps to prevent the data involved from further unauthorized misuse and does not anticipate the data being shared or made public.

The breach raises concerns about the security of sensitive student information and the potential consequences of such a breach. PowerSchool's acquisition by Bain Capital in 2024 in a $5.6 billion deal has also sparked questions about the company's data security practices.

As the edtech industry continues to grow, the importance of robust data security measures cannot be overstated. This breach serves as a stark reminder of the need for vigilance and proactive measures to protect sensitive student information. PowerSchool's response to the breach will be closely watched, and the company's efforts to prevent similar incidents in the future will be crucial in maintaining the trust of its customers and the broader education community.

If you have more information about the PowerSchool data breach, TechCrunch would like to hear from you. You can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.