More and more details have emerged about the December 28, 2024 cyberattack of the cloud-based educational software solutions company PowerSchool. While the company had disclosed the attack on January 7th, recently the threat actor who breached the company has claimed in the extortion demand that the number of affected students and employees is over 70 million.
As reported by BleepingComputer, the personal data of 62.4 million students and 9.5 million teachers was exposed during the attack when the threat actor used stolen credentials to access the PowerSchool customer support portal. After which, they used a maintenance access tool to download the data from districts’ PowerSIS databases.
PowerSchool reportedly paid a ransom to stop the data from leaking, and the hacker claimed they deleted all of the stolen data. This data ranges per district as the types of info each district stores in the SIS database will vary depending on the policy requirements of their state and district requirements. However, it is expected that less than a quarter of the students who were impacted by the breach had their Social Security numbers exposed. A further review of the data is required though, as both cloud-based and on-premises SIS databases must be examined and that requires districts to share information for analysis.
PowerSchool, which is a cloud-based software for K-12 schools, provides tools that handle enrollment, communication, attendance, learning systems, staff management, grades, finances, analytics and more. The company has offered two years of free identity theft protection and credit monitoring services for all the students and district employees who were affected by the breach. They will also send data breach notifications to the State Attorney General’s offices of each affected school district on behalf of customers, though a timeline as to when that will happen is unclear.
The company has also promised to release an incident report based on CrowdStrike's investigations from January 17th but that has also not yet been made available; PowerSchool says that CrowdStrike is still working on finalizing a forensic report that can be made available to customers. In the meantime, there is a dedicated public website that those impacted can monitor for additional information and an update on the customer-only FAQ states that customers can receive a confidential CrowdStrike fact sheet on what is currently known.
What to do now
First, if you've received an email or notice from your school district, it should have some information about whether or not your data was affected and how to proceed. If you have been affected, follow the steps and details in the note about signing up for the identity theft protection and credit monitoring services offered by PowerSchool.
If you have questions, there should be details about how to contact your district in the email or notice or you can visit PowerSchool's SIS incident page here. If you want to make sure you and your family are already protected, you can check out our list of best identity theft protection services, which we tested using our own accounts – and includes a Best for families option.
More from Tom's Guide
