Table of Contents
We are only a few months after 2025, but the recent hack of the American Edtech Giant Power School is on schedule to be one of the largest data breaches for education in recent years.
Power School, which offers K-12 software to more than 18,000 schools to support around 60 million students in North America, first revealed the data breach at the beginning of January 2025.
The company, based in California, which Bain Capital has taken over for $ 5.6 billion, said that an unknown hacker used a single compromised reference in December 2024 to violate its customer service portal, resulting in further access to the school information system of the company, Power School Sis, which Schools use.
Although power school has been open about some aspects of the infringement – for example, Power School told Techcrunch that the broken Powersource Portal not Support for multi-factor authentication at the time of the incident-differing important questions remain unanswered months later.
Techcrunch sent Power School a list of excellent questions about the incident, which may affect millions of students.
Spokesperson Beth Keebler of Power School refused to answer our questions and said that all updates with regard to the infringement would be placed on the The incident page of the company. On January 29, the company said it started with informing persons affected by the infringement and the regulations.
Many of the customers of the company also have excellent questions about the infringement, which means that those who have been affected to work together to investigate the hack forcing to investigate the hack.
At the beginning of March, Power School published its Datalek Post-Mortem, As prepared by CrowdstrikeTwo months after Power School customers were told that it would be released. Although many of the details were known in the report, Crowdstrike confirmed that a hacker already had access to the Power School systems in August 2024.
Here are some of the questions that remain unanswered.
Power School has not said how many students or staff are affected
Techcrunch has heard from Power School customers that the scale of the data breach can be ‘huge’. But Power School has repeatedly refused to say how many schools and individuals are being affected, despite the telling of Techcrunch that it had “the schools and districts identified whose information was involved in this incident”.
BLEKING COMPUTERWith reference to multiple sources, the hacker who was responsible for the Power School infringement had access to the personal data of more than 62 million students and 9.5 million teachers.
When asked by Techcrunch, Power School refused to confirm whether this number was accurate.
The files of Power School at the general and communication of the state lawyers of violating schools, however, suggest that millions of people have probably stolen personal information in the data breach.
In an application with the attorney -general of Texas, Power School confirmed that nearly 800,000 in residents of the state had stolen data. An application in January to the attorney general of Maine said that at least 33,000 inhabitants had been hit, but this has been since then updated To say that the number of affected individuals must be “determined”.
The Toronto District School Board, the largest school board in Canada, which serves around 240,000 students every year, said that the hacker may have had access to 40 years of student data, with the data of nearly 1.5 million students who have been infringed.
Menlo Park City School District in California too confirmed De Hacker has access to information about all current students and employees and about 2,700 students and 400 employees and 400 employees who date students and employees who date from the start of the 2009-10 school year.
Power School did not say what types of data have been stolen
We not only know not how many people have been affected, but we also do not know how many or which types of data are accessible during the infringement.
In a communication shared with customers in January, seen by Techcrunch, Power School said that the hacker stole “sensitive personal information” about students and teachers, including the figures, presence and demography of students. The incident page of the company also states that stolen data may contain SOFI numbers and medical data, but says that “because of differences in customer requirements, the information that has been extracted for a certain individual in our customer base.”
Techcrunch has heard of several schools affected by the incident that “all” historical student and teaching data were affected.
One person who works in a affected school district told Techcrunch that the stolen data includes very sensitive student data, such as information about access rights for parental access to their children, restrictive orders and information about when certain students should use their medicines.
A source that spoke with JS in February revealed that Power School gave the affected schools a tool “Sis Self Service” that Power School customer data can request and summarize to show which data is stored in their systems. Power School, however, told the affected schools that the tool “may not precisely reflect data that were extracted at the time of the incident.”
It is not known whether Power School has its own technical resources, such as logs, to determine which types of data have been stolen from specific school districts.
Power school will not say how much the hacker has paid for the infringement
Power School told Techcrunch that the organization had taken “appropriate steps” to prevent the stolen data from being published. In the communication that was shared with customers, the company confirmed that it worked with a Cyber-Extortion incident response company to negotiate with the threat factors responsible for the infringement.
This has everything but confirmed that PowerSchool has paid a ransom to the attackers who have violated his systems. However, when the company was asked, the company refused to say how much it paid, or how much the hacker demanded.
We do not know what evidence of power school has received that the stolen data has been deleted
PowerSchool’s Keebler told Techcrunch that the company “does not anticipate the data that is shared or made public” and that it “believes that the data has been deleted without further replication or distribution.”
However, the company has repeatedly refused to say what evidence he has received to suggest that the stolen data had been deleted. Early report said that the company received video light, but Power School would not confirm or deny when he was asked by Techcrunch.
Even then, the proof of removal is by no means a guarantee that the hacker is still not in possession of the data; The recent Takedown of the UK of the Lockbit -Ransomware -gang has discovered the evidence that the gang still had data from victims who had paid a ransom question.
The hacker behind the data breach is not yet known
One of the biggest strangers about the Powschool Cyberattack is who was responsible. The company has been in communication with the hacker, but has refused to reveal their identity if known. Cybersteward, the Canadian Incident Response Organization with which Power School worked to negotiate, did not respond to the questions of Techcrunch.
Crowdstrike’s forensic report lets questions leave unanswered
The next Power School’s release of being Crowdstrike Forensic Report In March, one person told a school of Techcrunch that the findings were ‘underwhelming’ by the infringement.
The report confirmed that the infringement was caused by a compromised reference, but the cause of how the compromised reference was obtained and used remains unknown.
Marc Racine, Chief Executive of the Boston -based Education Technology Consultancy Agency Rooted Solutions, Techcrunch said that although the report offers ‘only details’, there is not enough information to ‘understand what went wrong’.
It is not known exactly how far the infringement of power school actually goes
A new detail in the Crowdstrike report is that a hacker had access to the Power School network between 16 August 2024 and 17 September 2024.
Admission was obtained using the same compromised references used in the infringement of December, and the hacker has access to PowerSchool’s Powersource, the same customer support portal in December to gain access to the Power School school information system.
However, Crowdstrike said that there is not enough evidence to conclude that this is the same threat actor who is responsible for the December infringement due to insufficient logs.
But the findings suggest that the hacker – or several hackers – may have had access to the Power School network for months before the entrance was detected.
Do you have more information about the Power School -datalek? We would like to hear from you. From a non-work device you can safely contact Carly Page on Signaal on +44 1536 853968 or via e-mail at carly.page@techcrunch.com.