PowerSchool Data Breach Affects Multiple School Boards Across North America

PowerSchool, a leading provider of cloud-based software solutions for K-12 schools and districts worldwide, has confirmed a major cybersecurity incident. This breach has exposed sensitive student and staff information across multiple school districts using the PowerSchool SIS platform. The incident underscores the growing vulnerability of education systems to cyberattacks.

What Is PowerSchool?

PowerSchool supports over 60 million students and 18,000 customers globally, offering tools for student information management, enrollment, communication, analytics, and finance. It also operates Naviance, a platform used for personalized college and career readiness planning, making it a critical infrastructure component for many schools across North America.

The Breach: What Happened?

PowerSchool detected the breach on December 28, 2024, after an attacker accessed its PowerSource customer support portal using compromised credentials. Through a maintenance tool, the threat actor exported sensitive data from the PowerSchool SIS platform, including student and teacher records stored in "Students" and "Teachers" database tables.

The breach impacted districts across North America and allowed the attacker to exfiltrate data in CSV format. Stolen information included names, addresses, and, in some cases, Social Security numbers, medical records, grades, and other sensitive details.

PowerSchool’s Response

In response to the incident, PowerSchool implemented several immediate measures:

• Password Resets: Rotated passwords for all PowerSource accounts and implemented stricter password policies.
• Incident Investigation: Engaged third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the breach.
• Ransom Payment: While the incident was not a ransomware attack, PowerSchool confirmed paying a ransom to prevent the release of stolen data, obtaining assurances that the data was deleted.

Despite these assurances, PowerSchool is actively monitoring the dark web to ensure the stolen data is not leaked.

Who Was Affected?

The breach affected numerous school districts across the United States and Canada, including:

Alabama School Districts
Etowah County School District in Alabama
Region 1 School District in Connecticut
Ascension Parish Public Schools in Louisiana
St. Charles Parish Public Schools in Louisiana
Pittsfield Public Schools in Massachusetts
Bessemer Area Schools in Michigan

Toronto District School Board (TDSB) in Ontario, Canada

Durham District School Board (DDSB) in Ontario, Canada
North Carolina School Districts
Fairmount Public Schools in North Dakota
North Border School District in North Dakota
Lower Merion School District (LMSD) in Pennsylvania
Oxford Area School District in Pennsylvania
Colchester School District in Vermont
Sturgeon Bay Schools in Wisconsin
Dufferin Peel Catholic District School in Ontario, Canada
Durham District School Board in Ontario, Canada
School districts in Newfoundland and Labrador in Canada

A full list of impacted districts is still emerging as notifications are issued.

Steps for Parents, Students, and Teachers

Impacted individuals are urged to take the following precautions:

1. Reset Passwords: Update PowerSchool and related account credentials immediately.
2. Monitor Accounts: Regularly review bank and credit card statements, as well as online accounts for unusual activity.
3. Use Credit Monitoring Services: PowerSchool is offering credit monitoring for adults and identity protection services for minors affected by the breach.

The Path Forward

As investigations continue, PowerSchool is working closely with cybersecurity experts to strengthen its defenses. A final report from CrowdStrike is expected by January 17, 2025, which will provide further clarity on the incident and steps to prevent future breaches.

The breach has raised concerns about the security of sensitive information in educational systems. Progressive security measures, such as continuous monitoring and stronger password protocols, are becoming increasingly essential as cyber threats evolve.

Lessons Learned

The PowerSchool breach is a sobering reminder of the risks associated with centralized digital systems. Schools, parents, and software providers must work together to protect sensitive data and ensure robust cybersecurity practices are in place. This includes proactive monitoring, better user education, and transparent communication when incidents occur.