This is a national story that has been building for a few days - thousands of school districts were impacted by a data breach at an educational technology firm, Power School.

• PowerSchool hack exposes student, teacher data from K-12 districts (Bleeping Computer)

• Edtech giant PowerSchool says hackers accessed personal data of students and teachers (TechCrunch)

PowerSchool’s main product, SIS, is a student information system designed to manage student, guardian, and teacher data. It is widely used in K-12 schools and districts, including District 65 and New Trier.

According to TechCrunch the hackers breached their customer service portal and compromised PowerSchool SIS;

PowerSchool said it identified on December 28 that hackers successfully breached its PowerSource customer support portal, allowing further access to the company’s school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment. The letter said the company’s investigation found the hackers gained access “using a compromised credential.”

According to District 65’s statement the information accessed included student data, guardian data, and health information on students;

Using the instructions provided by PowerSchool, our Technology Department identified the fields accessed at District 65. For all current and former D65 students in PowerSchool, that information includes:

• Student name and District 65 ID number

• Student address

• Student birth date

• Guardian email address

• Transfer dates for the last active school year the student was enrolled

• Student lunch PIN (used only internally)

• Free/reduced lunch status

• Health concerns (examples include allergies; glasses; medical conditions such as asthma, ADHD, epilepsy)

The PowerSchool records accessed for students do NOT include grades, GPA, financial information, special education status, schedule information, or Social Security numbers.

According to the statement put out by New Trier, the information hacked from them included;

Using the instructions provided by PowerSchool, our Technology Department identified the fields accessed at New Trier. For current students, that information includes:

• Student names and New Trier ID numbers

• Student addresses

• Student birth dates

• Parent/guardian/emergency contact names and phone numbers

I reached out to ETHS but haven’t heard back yet, however I reviewed their list of bills for for 2019 to the present and was unable to find any payments made to PowerSchool - so they are likely not a user.

PowerSchool is a Major EdTech Player

In School Year 2022-23, 199 Illinois School Districts hired PowerSchool and paid more than $11 million dollars per year. Here’s the full list compiled from annual statements for SY2022-23.

Someone should forward this list and organize a class action suit. You wouldn’t be the first, according to TechCrunch, PowerSchool is already facing a class action accusing them of monetizing student data, which they deny;

PowerSchool was sued by class action in November 2024, which alleges the company illegally sells student data without consent for commercial gain. According to the lawsuit, the company’s troves of student data totals some “345 terabytes of data collected from 440 school districts.”

PowerSchool also has an extensive Trust and Security page, which indicates they have industry leading best practices. However, I wonder how much is just theater if a single compromised employee credential granted access to the all the data.

Furthermore, Bleeping Computer reported that PowerSchool was extorted and paid a ransom to the hackers;

In an unusually transparent FAQ only accessible to customers, PowerSchool also confirmed that this was not a ransomware attack but that they did pay a ransom to prevent the data from being released.

"PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors," reads an FAQ seen by BleepingComputer.

"With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist."

PowerSchool was given “reasonable assurances” that your kid’s data is not for sale on the dark web. But don’t worry, PowerSchool has implemented some changes, including best practices they claimed they were already doing on their website;

• Engaged CrowdStrike, a third-party cybersecurity firm, to investigate the breach. Their final forensic report is expected to be released at the end of next week and will provide a clearer understanding of the incident and its potential impact.

• Implemented additional information security best practices, requiring updated credentials for all employees, and restricting access to their support system tools.

You may remember CrowdStrike from the 2024 outage that impacted 8.5 million computers at large corporations and airports.