Education software firm’s hack exposes personal data for students, teachers nationwide
An education software company which stores data belonging to more than 60 million K-12 students and teachers on Tuesday said it had been hacked.
PowerSchool offers cloud-based software to thousands of school districts which use its system to host platforms for attendance, finance, enrollment, staff management and more. It is also the parent company of Naviance, a platform which offers students customized college and career advice and harnesses reams of personal data on student performance, including GPA and test scores.
The education software giant became aware of what a spokesperson called “a potential cybersecurity incident” involving unauthorized access to one of its customer portals, known as PowerSource, on December 28.
“We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse,” the spokesperson said in a statement. “The incident is contained and we do not anticipate the data being shared or made public.”
The statement said the company hired cybersecurity experts to help it navigate the hack as soon as it learned of the breach.
“We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously,” the statement said.
The incident was first reported by Bleeping Computer.
The PowerSchool spokesperson said the breached data for the most part includes just names, addresses and other contact information, but in some cases also encompasses Social Security numbers, personally identifiable information, medical information and grades.
PowerSchool told Bleeping Computer that the breach was not a ransomware attack but said it nonetheless paid a ransom to prevent the data from leaking.
The company said it received a video purporting to show the data has been erased, Bleeping Computer reported.
Such videos are not always reliable and there is a possibility that the student and teacher data remains in the hacker’s possession and could still be leaked.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.