A K-12 software provider that runs one of the most commonly used student information systems in U.S. schools was hit by a cyberattack that could have exposed the personal information of millions of students and staff.
PowerSchool, which says its suite of software products have more than 16,000 customers that serve 50 million students in the United States, notified affected customers on Jan. 7 of the hack that occurred Dec. 28.
The data breach is the latest in a series of high-profile cybersecurity incidents with K-12 vendors from the past few years, including school safety software company Raptor Technologies in 2024 and data management software company Illuminate Education in 2022.
鈥淎s soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts,鈥 PowerSchool said in a statement to Education Week. The there was no evidence of malware or 鈥渃ontinued unauthorized activity,鈥 and it believes the data accessed will not be shared or made public.
鈥淲e take our responsibility to protect student, family, and educator data privacy extremely seriously, and we are committed to helping affected customers, families, and educators with resources and support as we work through this together,鈥 PowerSchool said in the statement. The company is providing credit monitoring or identity protection services to those affected.
K-12 schools are a top target for hackers and are uniquely vulnerable to cyberattacks. In an interview with Education Week, Doug Levin, a school cybersecurity expert and the national director of the , discussed ways schools can reduce their risks and what they need to do if they鈥檙e affected by a cyberattack. K12 Security Information Exchange is a nonprofit focused on sharing information, analysis, and best practices around cybersecurity for the education sector.
This conversation has been edited for brevity and clarity.
What was your initial reaction to this cyber incident?
This came very close to being the worst-case scenario cyber incident for the K-12 sector. There aren鈥檛 many systems as sensitive as a student information system. At the same time, for the vast majority of customers, it appears there was very little they could have done to prevent this. This was a cybersecurity failure at PowerSchool that customers had no reasonable expectation of being able to detect or prevent. I think it has scared a lot of people.
The company has claimed a strong cybersecurity culture. This is going to cause people to lose a lot of trust in that. How they respond is really going to dictate whether they鈥檙e able to keep people鈥檚 trust. It鈥檚 important to note that changing a student information system provider is a significant undertaking. If it was a different type of product, we might see a mass exodus.
What precautionary measures can districts take in light of this cyber incident?
PowerSchool is surely not the only vendor with remote access to sensitive school [information technology] systems. School systems would be well-served thinking about what their due diligence is for all of their vendors. There are things they should be doing at the [request for proposal] stage, at the procurement stage, and they need it written in contractual language to help protect them.
The second thing that I would say is that I think many school systems now are seeing the downsides to having an enormous repository of data. There are school systems that are going to have to be making breach notifications to every former student stretching all the way back to when the school system first started using a student information system. While school systems have records retention requirements under state law, they are still likely holding on to a lot of data that is not required that they hold on to. Even if they are required to hold onto it, it doesn鈥檛 mean that it needs to sit in a singular database that is connected to the internet that anyone from the internet can access.
What are some ways districts can do their due diligence during procurement?
Districts need to be clear about what their non-negotiables are for cybersecurity. That has to be done during procurement. It has to be an explicit evaluation criterion, and those requirements need to be enshrined in contract language. At the end of the day, unless those things are in place, schools are not going to be able to hold their vendors to account.
If you鈥檙e in the process of onboarding [new] software, there are things that have to happen during implementation, from setting up and monitoring those systems, ensuring there鈥檚 a process for software updates, reevaluating your incident response plan with respect to that product.
They鈥檙e going to need to conduct periodic risk assessments of their vendors, look to see who has had an incident, or whose product has significantly changed.
They also have to make sure they have a good process for offboarding vendors, so that sensitive data is being deleted, accounts are disabled, and access is revoked.
This speaks to the challenge, which is that many school systems do not have the resources and capacity to do this well. Districts are understaffed with respect to IT, and they are absolutely very thin with respect to cybersecurity expertise. This is where programs like the FCC cybersecurity pilot begin to sort of help. I say [sort of] because, in our view, the program was designed sub-optimally, and to say nothing of the fact that demand for that program far, far outstrips available resources.
What are the pros and cons of using products from these big ed-tech companies, like PowerSchool, from a cybersecurity perspective?
There鈥檚 always inherent risk when there鈥檚 a very large user base for a product. It鈥檚 sort of a single point of failure, not just for your school system, but maybe for every school system in your state or across the country.
It鈥檚 incumbent on the schools to think about resilience, to think about back-up plans, and to be holding those particular vendors to a much higher standard of security, because the potential consequences of an incident are that much higher.
