PowerSchool data breach victims claim hackers stole ‘all’ historical student and teacher data

US school districts affected by the recent cyberattack on edtech giant PowerSchool told TechCrunch that hackers accessed “all” of their students’ and teachers’ historical data stored in their student information systems.

PowerSchool, whose school records software is used to support more than 50 million students in the United States, was hit by an intrusion in December that compromised the company’s customer support portal with student information. stolen identification, allowing access to tons of personal data belonging to students and teachers. in K-12 schools. The attack has not yet been publicly attributed to a specific hacker or group.

PowerSchool did not say how many of its client schools are affected. However, two sources from the affected school districts – who asked to remain anonymous – told TechCrunch that the hackers accessed a lot of personal data belonging to current and former students and teachers.

“In our case, I just confirmed that they obtained all the historical data on students and teachers,” the person from one affected school district told TechCrunch. The person added that although PowerSchool said the hackers gained access to its data starting in late December, district logs show the attackers gained access earlier.

Another person, who works in a school district with nearly 9,000 students, told TechCrunch that the attackers accessed “the demographics of all teachers and students, both active and historical, for as long as we have had PowerSchool.” .

“We saw this access in our logs and (PowerSchool) disclosed it during customer calls,” the second person said. They added that PowerSchool failed to secure the affected system with basic protections, such as multi-factor authentication.

When contacted by TechCrunch, PowerSchool spokesperson Beth Keebler did not dispute customer accounts but declined to discuss its security controls, citing company policy. When asked if PowerSchool uses multi-factor security across its business, Keebler said the company “uses MFA” but did not elaborate.

Several school districts have publicly released information about how the PowerSchool breach affects their students and staff. The Menlo Park City School District, another district affected by the PowerSchool breach, also confirmed that its historical data was accessed during the data breach. In a notice posted on its website, the California school district said hackers accessed the data of “all current students and staff,” as well as student and staff data dating back to the 2009-2010 school year.

PowerSchool spokesperson Keebler declined to comment on the scope of the data breach, but told TechCrunch that PowerSchool had “identified the schools and districts whose data was involved.” The company declined to publicly share the names of those schools or districts.

Keebler said PowerSchool is still working to identify specific people whose data may have been accessed.

Mark Racine, managing director of Boston-based education technology consulting firm RootED Solutions, said in a blog post this week that the PowerSchool breach also affects school districts that are former PowerSchool customers, suggesting that The scale of the breach could extend beyond the organization’s 18,000 existing educational customers.

Racine added that some school districts are reporting a number of affected students between four and 10 times the number of actively enrolled students in their district.

According to a PowerSchool FAQ shared with customers last week and viewed by TechCrunch, the data stolen in the breach includes individuals’ names and addresses, Social Security numbers, some medical and educational information, and other unspecified personal information belonging to students and teachers. .

The Rancho Santa Fe School District, a California school district hit by the hack and one of the first PowerSchool customers to file its own data breach notice with state regulators, said the attackers also gained access Teacher credentials to access PowerSchool.

When interviewed by TechCrunch, Keebler said that “the type of data stored in the Student Information System (SIS) platform and historical data retention policies vary depending on individual customer and state requirements.”

“While our review of the data is ongoing, we anticipate that the majority of customers involved did not have Social Security numbers or medical information exfiltrated,” Keebler told TechCrunch in a statement Tuesday.

PowerSchool told TechCrunch last week that it had taken “appropriate measures” to prevent the publication of the stolen data, and said it “believes the data was deleted without any further replication or dissemination.” The company did not provide details on what steps it took and declined to say what evidence it had to suggest the stolen data had been deleted.

Do you have more information about the PowerSchool data breach? We would love to hear from you. From a non-work device, you can contact Carly Page securely on Signal on +44 1536 853968 or by email at carly.page@techcrunch.com.