We’re only a few months into 2025, but the recent hack of U.S. edtech giant PowerSchool is on track to be one of the biggest education data breaches in recent years.
PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students across North America, first disclosed the data breach in early January 2025.
The California-based company, which Bain Capital acquired for $5.6 billion, said an unknown hacker used a single compromised credential to breach its customer support portal in December 2024, allowing further access to the company’s school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment.
While PowerSchool has been open about some aspects of the breach — for example, PowerSchool told TechCrunch that the breached PowerSource portal did not support multi-factor authentication at the time of the incident — several important questions remain unanswered months on.
TechCrunch sent PowerSchool a list of outstanding questions about the incident, which potentially affects millions of students.
PowerSchool spokesperson Beth Keebler declined to answer our questions, saying that all updates related to the breach would be posted on the company’s incident page. On January 29, the company said it began notifying individuals affected by the breach and state regulators.
Many of the company’s customers also have outstanding questions about the breach, forcing those affected to work together to investigate the hack.
In early March, PowerSchool published its data breach post-mortem, as prepared by CrowdStrike, two months after PowerSchool customers were told it would be released. While many of the details in the report were known, CrowdStrike confirmed that a hacker had access to PowerSchool’s systems as early as August 2024.
Here are some of the questions that remain unanswered.
PowerSchool hasn’t said how many students or staff are affected
TechCrunch has heard from PowerSchool customers that the scale of the data breach could be “massive.” But PowerSchool has repeatedly declined to say how many schools and individuals are affected, despite telling TechCrunch that it had “identified the schools and districts whose data was involved in this incident.”
Bleeping Computer, citing multiple sources, reported in January that the hacker responsible for the PowerSchool breach accessed the personal data of more than 62 million students and 9.5 million teachers.
When asked by TechCrunch, PowerSchool declined to confirm whether this number was accurate.
PowerSchool’s filings with state attorneys general and communications from breached schools, however, suggest that millions of people likely had personal information stolen in the data breach.
In a filing with the Texas attorney general, PowerSchool confirmed that almost 800,000 state residents had data stolen. A January filing with Maine’s attorney general said at least 33,000 residents were affected, but this has since been updated to say the number of impacted individuals is “to be determined.”
The Toronto District School Board, Canada’s largest school board that serves approximately 240,000 students each year, said the hacker may have accessed some 40 years’ worth of student data, with the data of almost 1.5 million students taken in the breach.
California’s Menlo Park City School District also confirmed the hacker accessed information on all current students and staff — which respectively number around 2,700 students and 400 staff — as well as students and staff dating back to the start of the 2009-10 school year.
PowerSchool hasn’t said what types of data were stolen
Not only do we not know how many people were affected, but we also don’t know how much or what types of data were accessed during the breach.
In a communication shared with customers in January, seen by TechCrunch, PowerSchool said the hacker stole “sensitive personal information” on students and teachers, including students’ grades, attendance, and demographics. The company’s incident page also states that stolen data may have included Social Security numbers and medical data, but says that “due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base.”
TechCrunch has heard from multiple schools affected by the incident that “all” of their historical student and teacher data was compromised.
One person who works at an affected school district told TechCrunch that the stolen data includes highly sensitive student data, such as information about parental access rights to their children, restraining orders, and information about when certain students need to take their medications.
A source speaking with TechCrunch in February revealed that PowerSchool has provided affected schools with a “SIS Self Service” tool that can query and summarize PowerSchool customer data to show what data is stored in their systems. PowerSchool told affected schools, however, that the tool “may not precisely reflect data that was exfiltrated at the time of the incident.”
It’s not known if PowerSchool has its own technical means, such as logs, to determine which types of data were stolen from specific school districts.
PowerSchool won’t say how much it paid the hacker responsible for the breach
PowerSchool told TechCrunch that the organization had taken “appropriate steps” to prevent the stolen data from being published. In the communication shared with customers, the company confirmed that it worked with a cyber-extortion incident response company to negotiate with the threat actors responsible for the breach.
This all but confirms that PowerSchool paid a ransom to the attackers that breached its systems. However, when asked by TechCrunch, the company refused to say how much it paid, or how much the hacker demanded.
We don’t know what evidence PowerSchool received that the stolen data has been deleted
PowerSchool’s Keebler told TechCrunch that the company “does not anticipate the data being shared or made public” and that it “believes the data has been deleted without any further replication or dissemination.”
However, the company has repeatedly declined to say what evidence it has received to suggest that the stolen data had been deleted. Early reports said the company received video proof, but PowerSchool wouldn’t confirm or deny when asked by TechCrunch.
Even then, proof of deletion is by no means a guarantee that the hacker is still not in possession of the data; the U.K.’s recent takedown of the LockBit ransomware gang unearthed evidence that the gang still had data belonging to victims who had paid a ransom demand.
The hacker behind the data breach is not yet known
One of the biggest unknowns about the PowerSchool cyberattack is who was responsible. The company has been in communication with the hacker but has refused to reveal their identity, if known. CyberSteward, the Canadian incident response organization that PowerSchool worked with to negotiate, did not respond to TechCrunch’s questions.
CrowdStrike’s forensic report leaves questions unanswered
Following PowerSchool’s release of its CrowdStrike forensic report in March, one person at a school affected by the breach told TechCrunch that the findings were “underwhelming.”
The report confirmed the breach was caused by a compromised credential, but the root cause of how the compromised credential was acquired and used remains unknown.
Marc Racine, chief executive of the Boston-based education technology consulting firm RootED Solutions, told TechCrunch that while the report provides “some detail,” there is not enough information to “understand what went wrong.”
It’s not known exactly how far back PowerSchool’s breach actually goes
One new detail in the CrowdStrike report is that a hacker had access to PowerSchool’s network between August 16, 2024, and September 17, 2024.
The access was gained using the same compromised credentials used in December’s breach, and the hacker accessed PowerSchool’s PowerSource, the same customer support portal compromised in December to gain access to PowerSchool’s school information system.
CrowdStrike said, however, that there is not enough evidence to conclude this is the same threat actor responsible for December’s breach due to insufficient logs.
But the findings suggest that the hacker — or multiple hackers — may have had access to PowerSchool’s network for months before the access was detected.
Do you have more information about the PowerSchool data breach? We’d love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at [email protected].
