Over 60M kids' data may have been stolen: What you need to know

(NewsNation) — A leading education technology firm was the target of a data security breach last month, potentially exposing millions of students and teachers' sensitive data including Social Security numbers and medical information.

PowerSchool, the largest provider of cloud-based education software for K-12 education in the country, notified schools about the incident earlier this month, but the full scale of the cyberattack is still coming into view.

A new report from BleepingComputer, a cybersecurity news outlet, said the data breach impacted more than 62 million students and over 9.5 million teachers across 6,500 school districts.

Those numbers reportedly come from an extortion demand the hacker sent to the company.

A spokesperson for PowerSchool would not confirm or deny the figures in an email to NewsNation, but the company's website says it supports more than 60 million students globally.

Here's what we know about the PowerSchool data breach and what information was exposed.

What happened?

PowerSchool said it first became aware of the breach Dec. 28 after customer data from its PowerSchool Student Information System (SIS) was stolen through its PowerSource support portal.

PowerSchool SIS is a student information system that schools and districts use to manage grades, track attendance, enrollment and other student records.

Hackers accessed the portal using compromised credentials and stole the data using an "export data manager," BleepingComputer reported.

PowerSchool reportedly paid a ransom to prevent the stolen data from being leaked privately and saw a video of the hacker claiming to delete the data.

A company spokesperson would not say whether it paid a ransom, but major districts affected by the breach said they were told all the downloaded data had been destroyed.

The company revealed the incident to its customers on Jan. 7 and said districts and schools that do not utilize PowerSchool SIS were not affected.

What information was exposed?

The stolen data primarily contains contact info like names, addresses and dates of birth. However, it could also include more sensitive info like Social Security numbers and "limited medical alert information," according to PowerSchool.

A company spokesperson told NewsNation that most individuals, more than three-quarters, did not have Social Security numbers exposed in the breach.

The type of data exposed varies by district due to different state and district policies, but there is no evidence that credit card or banking information was involved, PowerSchool said.

Some districts have revealed which data was stolen. In Lake Forest, Illinois, a pair of districts said in a public notice that the following student information had been accessed:

Student name and ID number
Parent/guardian contact information
Dates of enrollment and withdrawal reasons
Bus stop code
Physician’s name and phone number
Limited medical alert information (e.g., allergies)
Existence of an IEP or 504, not plan specifics or eligibility information
Student school and homeroom

Staff also had info like their names, most recent department and school email addresses exposed, the districts said.

In total, about 20,000 current and former students and staff records were accessed between the two districts. However, sensitive data like Social Security numbers and insurance information were not compromised.

Teachers in other parts of the country weren't so lucky.

In North Carolina, about 312,000 teachers’ Social Security numbers were exposed in the breach, according to WRAL News.

Whose data was stolen?

The company would not say how many districts and schools were involved in the breach when asked by NewsNation.

BleepingComputer reported Wednesday that the data breach impacted 62,488,628 students and 9,506,624 teachers across more than 6,500 school districts in the U.S., Canada and other countries.

PowerSchool would not confirm those numbers, but they're in line with claims on the company's website.

PowerSchool says its software is used by over 18,000 customers to support more than 60 million students around the world. According to TechCrunch, the company serves more than 75% of students in North America.

In some places, like the Memphis-Shelby School District in Tennessee, a PowerSchool account is required to enroll, according to FOX13 Memphis.

"We don't get a choice," one parent said. "If that information can be leaked out, that's serious."

Now, the school district is among the largest allegedly impacted, with more than 485,000 students and 54,000 teachers' information exposed, BleepingComputer reported.

The San Diego Unified School District, the second largest school district in California, also notified families that its student data had been caught up in the breach.

In Texas, the Dallas Independent School District published a notice earlier this month saying it was affected by the incident.

Other major districts that were impacted include Charlotte-Mecklenburg Schools and the Wake County Public School System (WCPSS) in North Carolina.

WCPSS said the potentially impacted data includes some staff's Social Security Numbers as well as their street addresses and other personal info. The school system said no student's Social Security numbers were accessed, but their names, birthdays and mailing addresses may have been.

What's being done about it?

The company doesn't believe there is an ongoing risk and said there's no evidence of malware or "continued unauthorized activity."

PowerSchool said it's still working to complete its investigation and is setting up a system to provide resources to those who may have been impacted.

Parents and guardians whose student's data was exposed will receive a notification email from PowerSchool "over the next few weeks," the company said.

PowerSchool says it will also offer 2 years of free identity protection and credit monitoring services for all impacted students and educators.

"We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving our customers and our shared communities," a company spokesperson said in an email.

You can monitor updates and learn more about the incident at the public website set up by PowerSchool.

Topics

If You Need to Escape a Wildfire in an EV, Here Is What to Know

Driving an electric car in a wildfire emergency has its own unique challenges and benefits.
The Wall Street Journal - 6h
What you need to know: New Man City signing Khusanov is 'built to defend'

Abdukodir Khusanov's meteoric rise has been capped by a €48m move to Man City this week. Here's all you need to know about the 20-year-old Uzbekistan star.
ESPN - 3d
AP men's poll reaction: What you need to know about each Top 25 team

The latest AP Top 25 poll is out for the 2024-25 season. Here's what you need to know about all 25 teams.
ESPN - 4d
TikTok refugees are pouring to Xiaohongshu. Here's what you need to know about the RedNote app

A rare wave of U.S.-China camaraderie broke out online in recent days as “refugees” from the popular short video platform TikTok poured onto a Chinese social media platform to protest a now-delayed ...
ABC News - 6d
Afghanistan faces a complex set of challenges in 2025 — here’s what you need to know

2024 was a tumultuous year for Afghanistan, marked by many significant events that will continue to challenge the country in 2025.
The Hill - Jan. 9
What you need to know about HMPV

Pictures from China, where cases of the virus are surging, have people worried on social media.
BBC News - Jan. 7
AP poll reaction: What you need to know about each Top 25 team

The latest poll is out, and here's what's next for all 25 teams.
ESPN - Jan. 6
How to watch the 2025 Golden Globe Awards this Sunday (and what else you need to know)

The 82nd Golden Globes will air live Sunday on CBS from the Beverly Hilton, with two streaming options for Paramount+ subscribers. Here's how to watch.
Los Angeles Times - Jan. 3
Are PFAS in everything? What you need to know about ‘forever chemicals’

Reducing exposure to the toxic blend of chemicals in everyday items is difficult – but possible. PFAS, sometimes called “forever chemicals”, are a group of thousands of chemicals that are used for ...
The Guardian - Jan. 3