Victims of the PowerSchool data breach say hackers stole “all” of students’ and teachers’ historical data
US school districts affected by the recent cyberattack on PowerSchool, the education technology giant, told TechCrunch that hackers gained access to “all” historical student and teacher data stored in their student information systems.
PowerSchool, whose school records software is used to support more than 50 million students across the United States, was hit by a hack last December. Hacking the company’s customer support portal With stolen credentials, allowing access to large amounts of personal data on students and teachers in K-12 schools. The attack has not yet been publicly attributed to a specific hacker or group.
PowerSchool did not say how many school customers were affected. However, two sources in the affected school districts — who requested to remain anonymous — told TechCrunch that the hackers had access to troves of personal data on current and former students and teachers.
“In our case, I just confirmed that they got all the historical data for students and teachers,” the person in one of the affected school districts told TechCrunch. While PowerSchool said hackers had access to its data since late December, district records show the attackers gained access earlier, the person added.
Another person, who works in a school district with nearly 9,000 students, told TechCrunch that the attackers had access to “demographic data for all teachers and students, active and historical, for as long as we’ve had PowerSchool.”
“We have seen this access in our records and [PowerSchool] “He revealed it in customer calls,” the second person said. They added that PowerSchool did not secure the affected system with basic protections, such as multi-factor authentication.
When contacted by TechCrunch, PowerSchool spokeswoman Beth Keebler did not dispute customer accounts but declined to discuss its security controls, citing company policy. When asked if PowerSchool uses multi-factor security across its business, Kepler said the company “already uses MFA,” but he did not go into detail.
Several school districts have made public information about how the PowerSchool breach affected their students and staff. The Menlo Park City School District, another district affected by the PowerSchool breach, confirmed that its historical data was accessed during the data breach. in Notice on their websiteThe California school district said the hackers had access to data on “all current students and staff,” as well as data on students and staff dating back to the beginning of the 2009-2010 school year.
Kibler, a PowerSchool spokesperson, declined to comment on the extent of the data breach, but told TechCrunch that PowerSchool “identified the schools and districts whose data was involved.” The company declined to publicly share the names of those schools or districts.
PowerSchool is still working to identify specific individuals whose data may have been accessed, Kibler said.
said Marc Racine, CEO of Boston-based educational technology consulting firm RootED Solutions In a blog post This week, the PowerSchool breach also affects school districts that were previous clients of PowerSchool, suggesting that the scale of the breach could extend far beyond the organization’s current 18,000 educational clients.
Racine added that some school districts are reporting the number of students affected is four to 10 times the number of students actively enrolled in their district.
According to a PowerSchool FAQ shared with customers last week, which TechCrunch has seen itData stolen in the hack includes individuals’ names, addresses, Social Security numbers, some medical information, class information, and other non-identifying personally identifiable information belonging to students and teachers.
Rancho Santa Fe School District, a California school district affected by the hack and one of the first PowerSchool customers to do so Submit your data breach notification The attackers also gained access to teachers’ credentials to access PowerSchool, the company said with state regulators.
When asked by TechCrunch, Kepler said that “the type of data stored in the SIS platform and historical data retention policies vary depending on individual customer and country requirements.”
“While our data review remains ongoing, we expect that the majority of participating customers did not have Social Security numbers or medical information leaked,” Kibler told TechCrunch in a statement on Tuesday.
PowerSchool told TechCrunch last week that it had taken “appropriate steps” to prevent publication of the stolen data, and said it “believes the data has been deleted without any further duplication or publication.” The company did not provide details about the steps it had taken, and refused to mention the evidence the company possesses indicating that the stolen data had been deleted.
Do you have more information about the PowerSchool data breach? We would love to hear from you. From a non-work device, you can contact Carly Page securely on Signal on +44 1536 853968 or by email at carly.page@techcrunch.com.
