The K-12 software giant that runs the most commonly used student information system in U.S. schools said a data breach could have exposed the personal information of millions of students and teachers.
PowerSchool, which says its suite of school software products have more than 16,000 customers that serve 50 million students in the United States, this week notified affected customers of the hack that occurred Dec. 28.
The breach is the latest in a series of high-profile cybersecurity incidents affecting K-12 schools, which are a top target of hackers and are uniquely vulnerable to cyberattacks.
The hackers gained access to customer data housed in PowerSchool’s student information system, according to a letter the company sent to a district in Georgia that was published in a local news report. Districts can store a range of student and staff records in their information systems, including demographic data, attendance, grades, and enrollment history for students, and licensing and salary information for staff.
In PowerSchool’s letter to the district, the company said it has notified law enforcement, there is no evidence of malware or “continued unauthorized activity,” and it believes the data accessed will not be shared or made public.
“We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together,” the letter said.
The company did not immediately respond to a request for comment on Thursday.
What we know about the PowerSchool breach
The hacker (or hackers) who accessed PowerSchool data did so by using a “compromised credential” to enter PowerSource, an online portal customers can use to get help with PowerSchool’s various products for schools. The information the hacker accessed “relates to families and educators,” and those affected are users of PowerSchool’s student information system. The letter from the California-based company did not explicitly state what information was accessed.
In response to the breach, PowerSchool has deactivated the account used to access the system and “conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”
The company plans to provide credit monitoring to “a subset” of adults affected by the breach and identity protection services to minors who were affected.
PowerSchool said the breach affected none of its other products—which include learning management platforms, financial management and budgeting tools, an artificial intelligence assistant, and programs that help educators use data to support student achievement.
Why schools are a top target for cyberattacks
Data breaches have become a top concern in recent years for district leaders in charge of education technology as the frequency and scope of cyberattacks increase. Schools are often targets of these hacks and breaches because they store so much data, have lots of staff and students with access to their systems, and have increasingly relied on online storage systems to store that data.
And in the last few years, schools have become even more reliant on technology to aid instruction and have dramatically increased their use of online programs and apps for teaching.
Hacks of that technology are a problem that can have implications for teaching and learning, school budgets, and parent communication, as well as the protection of students’ and staff members’ private information.
Eighty percent of school IT professionals in an early 2023 survey reported that they had been hit by a ransomware attack in the past year.
Tech leaders don’t feel prepared for cyberattacks, according to a report released in May 2023 by Consortium for School Networking, and while there’s no way to eliminate the risk of data breaches, there are steps districts can take to mitigate them.
What schools can do to prevent cyberattacks
Schools have the most power to minimize breaches before they sign on to use a company’s products. District leaders should analyze contracts and a company’s reputation thoroughly before entering into an agreement, Amy McLaughlin, the cybersecurity initiative project director for the Consortium for School Networking, told Education Week last year after a leak involving Raptor Technologies exposed millions of school records, including school safety plans and lockdown procedures.
Before a cyberattack, districts can establish a technology and communications plan in the event of a hack that outlines how they would respond and notify community members. Districts should practice that plan in the same way they would a fire drill—consistently and intentionally.
Schools can also conduct technology “risk assessments” to identify and understand vulnerabilities.
Schools should also have backup plans to ensure learning can continue if technology is disabled because of a cyberattack, district leaders say. In some cases, school districts have had to shut down schools for several days after a data breach.
Districts should teach students and staff about phishing attempts, strong passwords
Investing some time in digital literacy efforts can go a long way, experts say.
School districts should teach employees not to use the same passwords on multiple sites, share them, or make them easily guessable. Employees also should learn to spot a phishing email, through which criminals posing as someone in the district, or a vendor, may ask for their login credentials.
The PowerSchool system was hacked using a “compromised credential,” according to the company’s letter to affected districts.
Districts should also implement multi-factor authentication so that staffers and students need more than just a username and password to access their systems. Some multi-factor authentication systems text a code to the user’s cellphone to confirm the person’s identity. Others involve authentication apps.
Guidance released in 2023 by the federal Cybersecurity and Infrastructure Security Agency recommends that districts leverage federal grants to secure funding to bolster cybersecurity efforts. It also says K-12 districts should join information-sharing forums, such as the Multi-State Information Sharing and Analysis Center and the K-12 Security Information Exchange.
PowerSchool has been expanding in recent years
PowerSchool has had the most-used student information system for a while. But in recent years, the company has also expanded into other services for schools through a series of acquisitions.
The company early last year acquired Allovue, allowing it to add school budgeting tools to its portfolio. (Allovue founder Jess Gartner serves on the board of Editorial Projects in Education, Education Week’s nonprofit owner.) In recent years, PowerSchool’s acquisitions have also included: Schoology, an online learning management platform for which demand grew during pandemic school closures; Neverskip, an India-based ed-tech firm; and SchoolMessenger, a communications platform for schools.
PowerSchool itself was acquired late last year in a $5.6 billion deal with the private equity firm Bain Capital. The company has also gone through stints of being owned by Apple and Pearson.
