PowerSchool, a prominent U.S edtech company, has begun formally informing concerned entities about a substantial data breach from December 2024, potentially affecting millions of students and teachers in North America.
Subject to the infiltrating cyberattack, the infiltrator exploited a purloined account credential to approach PowerSchool’s customer support portal, resulting in a substantial leakage of confidential student and educator data.
Their corporate announcement acknowledged the departure from standard multi-factor authentication security measures in the hacked account. Moreover, notifications mandated by regulation following such incidents are in the process of being filed.
PowerSchool, based in California, lodged a data breach intimation with Maine’s attorney general. The complaint confirms over 33,000 individual records stolen during the incidence in the state. However, PowerSchool refrains from divulging the aggregate number of those affected.
Unconfirmed reports suggest the cyberattackers secured access to personal data of approximately 62 million students and 9.5 million teachers. The company promptly alerts that it cannot concur with the exact number of compromised individuals as data review proceedings are continuously being revised.
It is crucial to note, the event is intricate as reviewing data for on-premises customers warrants extended cooperation between PowerSchool and its clients.
While many questions remain unanswered, school districts are joining forces to investigate the extent and impact of the breach. PowerSchool has confirmed that it cannot presently ascertain the types of confidential data accessed as this varies per individual client and is contingent on district policies and regulations.
Acute effects of the breach are manifest in the Toronto District School Board (TSDB), among others, reporting nearly four decades of student data breached, impacting almost 1.5 million students. Other impacted districts, such as West Ada School District and Virginia’s Alexandria City Public Schools, are notifying those affected and disclosing the nature of compromised data.
Original source: Read the full article on TechCrunch
