Edtech giant PowerSchool has warned customers that hackers accessed its customers’ highly sensitive information — including student Social Security numbers, grades, and medical information — during a recent data breach, TechCrunch has learned.
In an FAQ obtained by TechCrunch that was sent to affected customers this week, PowerSchool says that “sensitive personal information” was accessed during its December breach, which was confirmed by PowerSchool on Wednesday.
The hackers broke into PowerSchool’s internal customer support portal using a stolen credential, the company previously said. The breach affects users of PowerSchool’s school information system, which schools use to manage student records, grades, attendance, and enrollment.
PowerSchool said in its FAQ that while the stolen data primarily includes contact details, such as individuals’ names and addresses, the hackers were also able to access Social Security numbers, some medical and grade information, and other unspecified personally identifiable information belonging to students and teachers.
The California-based education tech firm, the largest provider of cloud-based education software for K-12 education in the United States, says the personal information of parents and guardians, including names, phone numbers, and email addresses, was also potentially compromised in some school districts. The company said the types of stolen data will vary by customer.
PowerSchool spokesperson Beth Keebler confirmed the legitimacy of the information in the FAQ on Thursday but declined to say how many individuals are affected by the breach. PowerSchool says its software is used by over 16,000 customers to support more than 50 million students across North America.
In the FAQ, PowerSchool confirmed that the security incident was not ransomware in nature, but noted that it worked with CyberSteward, a Canadian organization that offers cyber-extortion incident response services, to negotiate with the threat actors responsible for the breach.
This confirms previous reporting that PowerSchool was the target of an extortion-only attack and that it paid a financial sum to prevent the hackers from publishing the stolen data.
PowerSchool declined to say what evidence it had to suggest that the stolen data had been deleted, when asked by TechCrunch on Thursday. CyberSteward did not respond to TechCrunch’s questions.
“PowerSchool has taken all appropriate steps to prevent the data involved from further unauthorized misuse and does not anticipate the data being shared or made public,” Keebler said. “PowerSchool believes the data has been deleted without any further replication or dissemination.”
PowerSchool was acquired by Bain Capital in 2024 in a $5.6 billion deal. When reached by TechCrunch this week, Bain Capital spokesperson Rachel Colson did not provide comment.
Do you have more information about the PowerSchool data breach? We’d love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at [email protected].
