In late December 2024, education technology giant PowerSchool suffered a catastrophic data breach affecting over 62 million students and 9.5 million teachers across North America. Attackers used stolen contractor credentials lacking multi-factor authentication to access PowerSchool’s customer support portal, downloading sensitive student and teacher data from 6,505 school districts. The breach exposed names, addresses, birth dates, Social Security numbers, medical information, and grades. Separately, malware infected a PowerSchool engineer’s computer, stealing internal company credentials. PowerSchool paid a ransom to the attackers and is offering two years of identity protection and credit monitoring services to affected individuals.
Table of Contents
- Breach Overview and Timeline
- Attack Method: Stolen Contractor Credentials
- Scope of Impact: 62 Million Students Affected
- Types of Data Compromised
- Separate Malware Incident: Engineer’s Credentials Stolen
- Critical Security Failures
- PowerSchool’s Response and Remediation
- Implications for Education Sector Security
Breach Overview and Timeline
On December 28, 2024, PowerSchool discovered a cybersecurity incident involving unauthorized access to its Student Information System (SIS) environments. The breach was publicly disclosed on January 7, 2025, affecting thousands of schools using the PowerSchool SIS platform.
PowerSchool, which serves 18,000 schools supporting over 60 million students across North America, became the target of one of the largest education data breaches in history. The company’s cloud-based software provides tools for enrollment, attendance, grades, communication, and student records management for K-12 districts throughout the United States and Canada.
According to BleepingComputer’s investigation, the threat actors claimed to have stolen data from 6,505 school districts, impacting 62,488,628 students and 9,506,624 teachers.
Attack Method: Stolen Contractor Credentials
The breach occurred when attackers used compromised credentials belonging to a technical support subcontractor to access PowerSchool’s PowerSource customer support portal. Critically, PowerSchool confirmed that the subcontractor’s account was not protected with multi-factor authentication (MFA)—a basic security measure that could have prevented the attack.
Once inside the customer support portal, the attackers utilized a maintenance access tool designed for technical support purposes to directly download student and teacher data from districts’ PowerSIS databases. The breach demonstrates the risks of third-party access and inadequate security controls on privileged accounts.
Scope of Impact: 62 Million Students Affected
The PowerSchool breach represents one of the largest education data breaches ever recorded. The extortion demand obtained by BleepingComputer revealed the massive scale of the incident affecting districts across the United States, Canada, and other countries.
The largest districts impacted include:
| District Name | Students Impacted | Teachers Impacted |
|---|---|---|
| Toronto District School Board | 1,484,733 | 90,023 |
| Peel District School Board | 943,082 | 39,693 |
| Dallas Independent School District | 787,212 | 79,718 |
| Calgary Board of Education | 593,518 | 133,677 |
| Memphis-Shelby County Schools | 485,087 | 54,501 |
| San Diego Unified | 472,278 | Data unclear |
| Charlotte-Mecklenburg Schools | 467,974 | 57,486 |
| Wake County Public Schools | 461,005 | 92,783 |
Types of Data Compromised
The stolen data varied by district based on what information each school chose to store in their PowerSchool SIS. According to PowerSchool’s official notice, compromised data may have included:
- Personal identifiers: Full names, contact information, addresses
- Sensitive personal data: Dates of birth, Social Security numbers
- Educational records: Grades, academic performance data
- Medical information: Medical alert information, medication schedules
- Legal information: Parental access rights, restraining orders
- Demographics: Race, ethnicity, and other demographic data
PowerSchool estimates that less than 25% of impacted individuals had Social Security numbers exposed, though the exact percentage varies by district. However, even for those without SSNs in the breach, the combination of personal identifiers and sensitive information poses significant identity theft and privacy risks.
Separate Malware Incident: Engineer’s Credentials Stolen
In addition to the contractor credential theft, TechCrunch revealed a separate but concerning security incident involving a PowerSchool software engineer. The engineer’s personal computer was infected with LummaC2 infostealing malware, which exfiltrated:
- Passwords for PowerSchool’s source code repositories
- Slack messaging platform credentials
- Jira bug tracking system access
- Amazon Web Services (AWS) credentials with full S3 storage access
- Credentials belonging to other PowerSchool employees
The malware logs showed that many PowerSchool passwords were short and lacked complexity, with some matching previously compromised passwords from other data breaches. The stolen credentials were uploaded to cybercrime forums and Telegram groups where they were traded among criminals.
While PowerSchool stated the engineer did not have AWS access and that internal systems were protected with MFA, the incident raises serious questions about the company’s password policies and device security standards for remote workers.
Critical Security Failures
The PowerSchool breach exposed multiple fundamental security failures:
- Lack of Multi-Factor Authentication: The contractor account used to breach PowerSchool’s systems was not protected with MFA, despite this being a standard security practice for privileged accounts. PowerSchool only implemented MFA on contractor accounts after the breach occurred.
- Weak Password Security: The malware logs revealed that PowerSchool employees used short, simple passwords that had been compromised in previous breaches. This violates basic password security principles and NIST recommendations that PowerSchool claims to follow.
- Excessive Maintenance Access: The maintenance access tool that attackers exploited provided broad access to download entire database tables. This level of access, while convenient for support purposes, created a single point of failure that could compromise multiple districts simultaneously.
- Third-Party Risk Management: PowerSchool’s security standards for contractors and subcontractors were insufficient. The company did not enforce the same security controls (like MFA) on third-party accounts as it claimed to have on employee accounts.
- Endpoint Security: The malware infection on the engineer’s computer suggests inadequate endpoint protection and security policies for remote work devices accessing corporate systems.
PowerSchool’s Response and Remediation
Following the breach discovery, PowerSchool took several steps:
Immediate Response
- Engaged CrowdStrike for forensic investigation and incident response
- Disabled the compromised maintenance access and reset all PowerSource portal passwords
- Implemented MFA on all customer support portal accounts
- Paid an undisclosed ransom to the attackers who claimed to delete the stolen data
Victim Support
PowerSchool partnered with Experian to offer all affected individuals:
- Two years of complimentary identity protection services (regardless of whether SSNs were stolen)
- Two years of complimentary credit monitoring for adults and students who have reached the age of majority
- A dedicated toll-free call center at 833-918-9464
Notification Process
PowerSchool began notifying affected customers on January 7, 2025, and started individual notifications on January 29, 2025. The company is handling notifications on behalf of school districts to reduce their administrative burden.
Transparency Concerns
Critics have noted that PowerSchool’s public communications lacked specific details about the number of affected individuals and which districts were impacted. School administrators have reported relying on crowdsourced information to understand the breach’s impact on their districts.
Implications for Education Sector Security
The PowerSchool breach highlights systemic vulnerabilities in education technology infrastructure:
Concentration Risk
PowerSchool’s dominance in the K-12 SIS market means a single breach can impact tens of millions of students. The centralization of student data in cloud platforms creates attractive targets for cybercriminals.
Long-Term Identity Theft Risks
The stolen data includes information about minors who cannot open credit accounts or monitor their credit until adulthood. This creates opportunities for synthetic identity fraud that may not be discovered for years.
Third-Party Risk
Educational institutions must scrutinize the security practices of their technology vendors, including third-party access controls, authentication requirements, and incident response capabilities.
Regulatory Response
The breach is likely to prompt increased regulatory scrutiny of education technology companies and potentially new legislation around student data protection standards. Multiple class action lawsuits have already been filed against PowerSchool.
Industry Standards
The incident underscores the need for mandatory security standards in education technology, including requirements for MFA, endpoint security, password policies, and regular security audits for companies handling student data.
Sources
- PowerSchool Official Incident Page – SIS Incident Information
- BleepingComputer – PowerSchool hacker claims they stole data of 62 million students
- TechCrunch – Malware stole internal PowerSchool passwords from engineer’s hacked computer
- NBC News – PowerSchool hack: missed basic security step resulted in data breach
- TechCrunch – What PowerSchool won’t say about its data breach affecting millions
- TechTarget – PowerSchool data breach: Explaining how it happened
- EdTech Law Center – PowerSchool Data Breach Litigation
- Proskauer Privacy Law Blog – The PowerSchool Breach: A Privacy Lesson on Third-Party Risk Exposure