The K-12 software giant that runs the most commonly used student information system in U.S. schools said a data breach could have exposed the personal information of millions of students and teachers.
PowerSchool, which says its suite of school software products have more than 16,000 customers that serve 50 million students in the United States, this week notified affected customers of the hack that occurred Dec. 28.
The breach is the latest in a series of high-profile cybersecurity incidents affecting K-12 schools, which are a top target of hackers and are uniquely vulnerable to cyberattacks.
The hackers gained access to customer data housed in PowerSchool鈥檚 student information system, according to a letter the company sent to a district in Georgia that was . Districts can store a range of student and staff records in their information systems, including demographic data, attendance, grades, and enrollment history for students, and licensing and salary information for staff.
In PowerSchool鈥檚 letter to the district, the company said it has notified law enforcement, there is no evidence of malware or 鈥渃ontinued unauthorized activity,鈥 and it believes the data accessed will not be shared or made public.
鈥淲e are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together,鈥 .
The company did not immediately respond to a request for comment on Thursday.
What we know about the PowerSchool breach
The hacker (or hackers) who accessed PowerSchool data did so by using a 鈥渃ompromised credential鈥 to enter PowerSource, an online portal customers can use to get help with PowerSchool鈥檚 various products for schools. The information the hacker accessed 鈥渞elates to families and educators,鈥 and those affected are users of PowerSchool鈥檚 student information system. The letter from the California-based company did not explicitly state what information was accessed.
In response to the breach, PowerSchool has deactivated the account used to access the system and 鈥渃onducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.鈥
The company plans to provide credit monitoring to 鈥渁 subset鈥 of adults affected by the breach and identity protection services to minors who were affected.
PowerSchool said the breach affected none of its other products鈥攚hich include learning management platforms, financial management and budgeting tools, an artificial intelligence assistant, and programs that help educators use data to support student achievement.
Why schools are a top target for cyberattacks
Data breaches have become a top concern in recent years for district leaders in charge of education technology as the frequency and scope of cyberattacks increase. 69传媒 are often targets of these hacks and breaches because they store so much data, have lots of staff and students with access to their systems, and have increasingly relied on online storage systems to store that data.
And in the last few years, schools have become even more reliant on technology to aid instruction and have dramatically increased their use of online programs and apps for teaching.
Hacks of that technology are a problem that can have implications for teaching and learning, school budgets, and parent communication, as well as the protection of students鈥 and staff members鈥 private information.
Eighty percent of school IT professionals in reported that they had been hit by a ransomware attack in the past year.
Tech leaders don鈥檛 feel prepared for cyberattacks, according to a report released in May 2023 by Consortium for School Networking, and while there鈥檚 no way to eliminate the risk of data breaches, there are steps districts can take to mitigate them.
What schools can do to prevent cyberattacks
69传媒 have the most power to minimize breaches before they sign on to use a company鈥檚 products. District leaders should analyze contracts and a company鈥檚 reputation thoroughly before entering into an agreement, Amy McLaughlin, the cybersecurity initiative project director for the Consortium for School Networking, told Education Week last year after a leak involving Raptor Technologies exposed millions of school records, including school safety plans and lockdown procedures.
Before a cyberattack, districts can establish a technology and communications plan in the event of a hack that outlines how they would respond and notify community members. Districts should practice that plan in the same way they would a fire drill鈥攃onsistently and intentionally.
69传媒 can also conduct technology 鈥渞isk assessments鈥 to identify and understand vulnerabilities.
69传媒 should also have backup plans to ensure learning can continue if technology is disabled because of a cyberattack, district leaders say. In some cases, school districts have had to shut down schools for several days after a data breach.
Districts should teach students and staff about phishing attempts, strong passwords
Investing some time in digital literacy efforts can go a long way, experts say.
School districts should teach employees not to use the same passwords on multiple sites, share them, or make them easily guessable. Employees also should learn to spot a phishing email, through which criminals posing as someone in the district, or a vendor, may ask for their login credentials.
The PowerSchool system was hacked using a 鈥渃ompromised credential,鈥 according to the company鈥檚 letter to affected districts.
Districts should also implement multi-factor authentication so that staffers and students need more than just a username and password to access their systems. Some multi-factor authentication systems text a code to the user鈥檚 cellphone to confirm the person鈥檚 identity. Others involve authentication apps.
Guidance released in 2023 by the federal Cybersecurity and Infrastructure Security Agency recommends that districts leverage federal grants to secure funding to bolster cybersecurity efforts. It also says K-12 districts should join information-sharing forums, such as the Multi-State Information Sharing and Analysis Center and the K-12 Security Information Exchange.
PowerSchool has been expanding in recent years
PowerSchool has had the most-used student information system for a while. But in recent years, the company has also expanded into other services for schools through a series of acquisitions.
The company early last year , allowing it to add school budgeting tools to its portfolio. (Allovue founder Jess Gartner serves on the board of Editorial Projects in Education, Education Week鈥檚 nonprofit owner.) In recent years, PowerSchool鈥檚 acquisitions have also included: , an online learning management platform for which demand grew during pandemic school closures; , an India-based ed-tech firm; and , a communications platform for schools.
PowerSchool itself in a $5.6 billion deal with the private equity firm Bain Capital. The company has also gone through stints of being owned by Apple and Pearson.
