US school districts affected by the recent cyberattack on edtech giant PowerSchool told TechCrunch that hackers gained access to “all” historical student and teacher data stored in their student information systems.
PowerSchool, whose school records software is used to support more than 50 million students in the United States, was hit by an intrusion in December that compromised the company’s customer support portal with stolen credentials, allowing access to mountains of personal data belonging to students and teachers in K-12 schools. The attack has not yet been publicly attributed to a specific hacker or group.
PowerSchool did not say how many of its school customers are affected. However, two sources from the affected school districts, who asked to remain anonymous, told TechCrunch that the hackers accessed personal data belonging to both current and former students and teachers.
“In our case, I just confirmed that they got all the historical data of students and teachers,” the person from one affected school district told TechCrunch. The person added that while PowerSchool said hackers had access to its data since late December, district records show the attackers had gained access before that.
Another person, who works in a school district with nearly 9,000 students, told TechCrunch that the attackers had access to “demographic data for all teachers and students, both active and historical, since we have had PowerSchool.”
“We saw this access in our records and (PowerSchool) disclosed it in customer calls,” the second person said. They added that PowerSchool did not protect the affected system with basic protections, such as multi-factor authentication.
When reached by TechCrunch, PowerSchool spokeswoman Beth Keebler did not dispute customers’ accounts but declined to discuss its security controls, citing company policy. When asked whether PowerSchool uses multi-factor security in its business, Keebler said the company “uses MFA,” but provided no details.
Several school districts have publicly posted information about how the PowerSchool breach is affecting their students and staff. The Menlo Park City School District, another district affected by the PowerSchool breach, also confirmed that its historical data was accessed during the data breach. In a notice on its website, the California school district said hackers accessed data on “all current students and staff,” as well as student and staff data dating back to the start of the school year 2009-2010.
PowerSchool spokesperson Keebler declined to comment on the scope of the data breach, but told TechCrunch that PowerSchool had “identified the schools and districts whose data was affected.” The company declined to publicly share the names of those schools or districts.
Keebler said PowerSchool is still working to identify specific individuals whose data may have been accessed.
Mark Racine, CEO of Boston-based education technology consultancy RootED Solutions, said in a blog post this week that the PowerSchool breach also affects school districts that are former PowerSchool customers, suggesting that the The scope of the breach could extend beyond the organization’s 18,000 existing education customers.
Racine added that some school districts report four to 10 times the number of students affected than the number of actively enrolled students in their district.
According to a PowerSchool FAQ shared with customers last week and viewed by TechCrunch, the data stolen in the breach included people’s names and addresses, Social Security numbers, some medical and rank information, and other unspecified personally identifiable information belonging to students and teachers. .
The Rancho Santa Fe School District, a California school district affected by the hack and one of the first PowerSchool customers to file its data breach notice with state regulators, said the attackers also accessed credentials of teachers to access PowerSchool.
When questioned by TechCrunch, Keebler said that “the type of data stored in the Student Information System (SIS) platform and historical data retention policies vary based on individual customer and state requirements.”
“While our review of the data is ongoing, we expect that the majority of affected customers did not have Social Security numbers or medical information exfiltrated,” Keebler told TechCrunch in a statement Tuesday.
PowerSchool told TechCrunch last week that it had taken “appropriate measures” to prevent publication of the stolen data and said it “believes the data has been deleted without any further replication or dissemination.” The company provided no details on the measures taken and refused to say what evidence it had to suggest that the stolen data had been deleted.
