It’s only January, but the recent hack of U.S. edtech giant PowerSchool has the potential to be one of the biggest breaches of the year.
PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students in the United States, confirmed the breach in early January. The California-based company, which Bain Capital acquired for $5.6 billion in 2024, said at the time that hackers used compromised credentials to breach its customer support portal, allowing further access to the company’s school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource,” PowerSchool spokesperson Beth Keebler told TechCrunch.
PowerSchool has been open about certain aspects of the breach. Keebler told TechCrunch that the PowerSource portal, for example, did not support MFA at the time of the incident, while PowerSchool did. But a number of important questions remain unanswered.
This week, TechCrunch sent PowerSchool a list of outstanding questions about the incident, which has the potential to impact millions of students in the U.S. Keebler declined to answer our questions, saying that all updates related to the breach would be posted on the company’s SIS incident page, which hasn’t been updated since January 17.
PowerSchool told customers it would share an incident report from cybersecurity firm CrowdStrike, which the company hired to investigate the breach, on January 17. But several sources who work at schools impacted by the breach told TechCrunch that they have yet to receive it.
The company’s customers also have lots of unanswered questions, forcing those impacted by the breach to work together to investigate the hack.
Here are some of the questions that remain unanswered.
It’s not known how many schools, or students, are affected
TechCrunch has heard from schools affected by the PowerSchool breach that the impact could be “massive.” However, PowerSchool’s incident page makes no mention of the scale of the breach, and the company has repeatedly declined to say how many schools and individuals are affected.
In a statement sent to TechCrunch last week, Keebler said PowerSchool had “identified the schools and districts whose data was involved in this incident,” but would not be sharing the names of those involved.
However, communications from impacted school districts give a general idea of the size of the breach. The Toronto District School Board (TDSB), Canada’s largest school board that serves approximately 240,000 students each year, said this week that hackers may have accessed some 40 years’ worth of student data. Similarly, California’s Menlo Park City School District confirmed that hackers accessed information on all current students and staff — which respectively number around 2,700 students and 400 staff — as well as students and staff dating back to the start of the 2009-10 school year.
The scale of the data theft is also unknown. PowerSchool also hasn’t said how much data was accessed during the cyberattack, but in a communication shared with its customers earlier this month, seen by TechCrunch, the company confirmed that hackers stole “sensitive personal information” on students and teachers, including some students’ Social Security numbers, grades, demographics, and medical information. TechCrunch has also heard from multiple schools affected by the incident that “all” of their historical student and teacher data was accessed.
One person who works at an affected school district told TechCrunch that the stolen data includes highly sensitive student data, including information about parental access rights to their children, including restraining orders, and information about when certain students need to take their medications.
PowerSchool hasn’t said how much it paid the hackers responsible for the breach
PowerSchool told TechCrunch that the organization had taken “appropriate steps” to prevent the stolen data from being published. In the communication shared with customers, the company confirmed that it worked with a cyber-extortion incident response company to negotiate with the threat actors responsible for the breach.
This all but confirms that PowerSchool paid a ransom to the attackers that breached its systems. However, when asked by TechCrunch, the company refused to say how much it paid, nor how much the hackers demanded.
We don’t know what evidence PowerSchool received that the stolen data has been deleted
In a statement shared with TechCrunch earlier this month, PowerSchool’s Keebler said the organization “does not anticipate the data being shared or made public” and that it “believes the data has been deleted without any further replication or dissemination.”
However, the company has repeatedly declined to say what evidence it has received to suggest that the stolen data had been deleted. Early reports said the company received video proof, but PowerSchool wouldn’t confirm or deny when asked by TechCrunch.
Even then, proof of deletion is by no means a guarantee that the hackers are still not in possession of the data; the U.K.’s recent takedown of the LockBit ransomware gang unearthed evidence that the gang still had data belonging to victims who had paid a ransom demand.
We don’t yet know who was behind the attack
One of the biggest unknowns about the PowerSchool cyberattack is who was responsible. The company has been in communication with the hackers but has refused to reveal their identities. CyberSteward, the Canadian incident response organization that PowerSchool worked with to negotiate, did not respond to TechCrunch’s questions.
Do you have more information about the PowerSchool data breach? We’d love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.
