PowerSchool, a leading provider of cloud-based software used by schools to manage student information, experienced a cybersecurity incident. The PowerSchool cyberattack, which occurred between December 22 and December 28, 2024, affected several school districts across North America.
This cyberattack on school systems involved the unauthorized exportation of personal data from PowerSchool’s Student Information System (SIS) through its community-focused customer support portal, PowerSource.
In response to the PowerSchool cyberattack, the school has been proactive in providing support to affected schools, students, and educators; while also outlining the steps it is taking to strengthen its security infrastructure.
What Happened During the PowerSchool Cyberattack?
The PowerSchool cyberattack was first detected on December 28, 2024, when PowerSchool became aware of unauthorized access to personal information stored in its SIS. The data was allegedly exported through PowerSource, a customer support portal used by schools and districts for community engagement. Although PowerSchool confirmed the breach, it emphasized that no evidence of malware or continued unauthorized activity had been found within its systems.
Importantly, PowerSchool also clarified that the breach did not disrupt any of its services, and there were no reports of other PowerSchool products being affected. The company has maintained that its services continued as normal throughout the investigation, with no operational downtime for its customers.
What Information Was Compromised in this PowerSchool cyberattack?
The information stolen during the PowerSchool cyberattack included a range of personal data, particularly affecting students and educators. The compromised information during the PowerSchool cyberattack may have included names, contact details, dates of birth, Social Security numbers (SSNs), and medical alerts, as well as other related data. The exact data involved in each case varied depending on the specific requirements of the school districts using PowerSchool.
For students, the breach potentially impacted data such as:
- Full names
- Contact information
- Date of birth
- Health-related information (such as allergies, conditions, and injuries)
- Social Security numbers (SSNs)
- Residential information
In addition, educators’ personal information, including names, dates of birth, and SSNs, was also affected by the breach. However, PowerSchool confirmed that no financial or banking data, including credit card information, was involved in the incident.
Steps Taken to Address the PowerSchool Cyberattack
As soon as the breach was discovered, PowerSchool implemented its cybersecurity response protocols, engaging third-party cybersecurity experts to investigate the scope of the incident. A cross-functional response team, including senior leadership, was mobilized to assess the breach and work with affected school districts.
PowerSchool has been transparent about the steps it is taking to mitigate the impact of the cyberattack and protect the personal information of affected individuals. One of the key measures the company introduced is the offering of complimentary identity protection services and credit monitoring for all impacted students and educators.
- Identity Protection: PowerSchool is offering two years of free identity protection services to all students and educators whose information was involved in the breach. This service will help monitor and prevent potential identity theft.
- Credit Monitoring: For adult students and educators, PowerSchool is offering two years of complimentary credit monitoring services. This service aims to protect individuals whose SSNs were potentially exposed.
Additionally, PowerSchool has worked with Experian, a reputable credit reporting agency, to manage the identity protection and credit monitoring services. Notifications will be sent to affected students and educators, with PowerSchool coordinating the outreach through direct emails and public notices.
How Schools and Districts Are Responding to the Breach
Various school districts across North America, including the Toronto District School Board (TDSB), have provided updates to their communities. TDSB, which uses PowerSchool’s SIS, confirmed that the breach involved data from students who attended the district between September 1, 1985, and December 28, 2024.
The data compromised in the PowerSchool cyberattack included personal details such as health card numbers, student IDs, medical information, and addresses. The breach was reported to regulatory authorities, including the Office of the Information and Privacy Commissioner of Ontario (IPC), which has launched an investigation into the matter.
TDSB assured parents and guardians that there is no ongoing threat to its systems, and the incident has been contained.
Conclusion
The PowerSchool cyberattack highlights the critical need for stronger cybersecurity in schools as they increasingly rely on digital platforms. While PowerSchool has taken steps to address the breach, the incident emphasizes the importance of protecting sensitive student and educator data. Schools must prioritize better security measures and remain vigilant to prevent future breaches, ensuring the safety of personal information.
