U.S. school districts affected by the recent cyber attack on tech giant PowerSchool told TechCrunch that the hackers had access to “all” of the historical student and teacher data stored in their student information systems.
PowerSchool, whose school records software is used to support more than 50 million students across the United States, was hit by a hack in December that compromised the company’s customer support portal with stolen credentials, allowing access to troves of personal data owned by students and teachers in K-12 schools. The attack has not yet been publicly attributed to a specific hacker or group.
PowerSchool has not said how many of its school customers are affected. However, two sources at the affected school districts — who asked not to be named — told TechCrunch that the hackers accessed reams of personal data belonging to both current and former students and teachers.
“In our case, I just confirmed that they received all of the historical student and teacher data,” the person at an affected school district told TechCrunch. The person added that while PowerSchool said hackers had access to its data since late December, the district’s logs show that attackers gained access earlier.
Another person, who works in a school district with nearly 9,000 students, told TechCrunch that the attackers had access to “demographic data for all teachers and students, active and historical, for as long as we’ve had PowerSchool.”
“We have seen this access in our logs and [PowerSchool] has disclosed this on customer calls,” the second person said. They added that PowerSchool did not secure the affected system with basic protections such as multi-factor authentication.
When reached by TechCrunch, PowerSchool spokeswoman Beth Keebler did not dispute the customers’ accounts but declined to discuss its security controls, citing company policy. When asked if PowerSchool uses multi-factor security in its operations, Keebler said the company “uses MFA,” but did not elaborate.
Several school districts have released information about how the PowerSchool breach is affecting their students and staff. The Menlo Park City School District, another district affected by the PowerSchool breach, also confirmed that its historical data was accessed during the data breach. In announcement on its websitethe California school district said the hackers accessed data on “all current students and staff,” as well as student and staff data dating back to the start of the 2009-2010 school year.
PowerSchool spokesperson Keebler declined to comment on the scale of the data breach, but told TechCrunch that PowerSchool had “identified the schools and districts whose data was involved.” The company declined to publicly share the names of those schools or districts.
Keebler said PowerSchool is still working to identify specific individuals whose data may have been accessed.
Marc Racine, CEO of Boston-based education technology consultancy RootED Solutions, said in a blog post This week, the PowerSchool breach also affects school districts that are former PowerSchool customers, suggesting the scale of the breach could extend beyond the organization’s 18,000 existing education customers.
Racine added that some school districts are reporting that the number of students affected is four to 10 times greater than the number of actively enrolled students in their district.
According to a PowerSchool FAQ shared with customers last week, seen by TechCrunch, the data stolen in the breach includes people’s names and addresses, Social Security numbers, certain medical and grade information and other unspecified personal information belonging to students and teachers.
Rancho Santa Fe School District, a California school district affected by the hack and one of PowerSchool’s first customers submits its own data breach notification with state regulators, he said the attackers also had access to teachers’ credentials to access PowerSchool.
When asked by TechCrunch, Keebler said that “the type of data stored on the Student Information System (SIS) platform and historical data retention policies vary based on individual customer and state requirements.”
“While our data review remains ongoing, we expect that the majority of affected customers did not have Social Security numbers or medical information,” Keebler told TechCrunch in a statement on Tuesday.
PowerSchool told TechCrunch last week that it has taken “appropriate steps” to prevent the stolen data from being published, and said it “believes the data has been deleted without further reproduction or dissemination.” The company did not provide details about the steps it took and declined to say what evidence the company had that suggested the stolen data had been deleted.
Have more information about the PowerSchool data breach? We would love to hear from you. From a non-working device, you can contact Carly Page securely on Signal on +44 1536 853968 or by email at carly.page@techcrunch.com.
