PowerSchool, a company that assists schools in keeping track of tens of millions of students, has fallen victim to the largest breach of American children’s personal information. Cyberattacks against schools have become more and more common in recent years, with education facilities having the highest rate of ransomware attacks compared to any other workforce.
PowerSchool became aware of a hacker who gained what appears to be full access to the information of students whose school districts had used the customer support feature. The company discovered this on Dec. 28 but did not begin to communicate with districts that their data was compromised until Jan. 7. While not the entirety of PowerSchool’s customer base, the breach appeared to expose the data of tens of millions of American children. The exact number has not been released, but the hacker involved in the attack claimed to have the data of over 62 million students and teachers.
PowerSchool is best known for its Student Information System, which is one of the most widely used education programs in the United States. The SIS software helps school districts keep track of K-12 students and collects information like their name, school, birthday, address and their parent/guardian. Many districts add additional information into the system such as the student’s social security number, health concerns and disciplinary records.
Children have no agency in how their own personal data is protected, and finding out who is at fault for stealing students’ information is extremely difficult as most cybercriminals repeatedly repackage and resell victims’ information. A 2024 study conducted by the American Association of Retired Persons found that identity theft costs Americans around $43 billion in 2023.
Cybercriminals who steal sensitive data often threaten to publish it if they’re not paid a ransom. In a private virtual briefing with customers, the company’s chief information officer, Mishka McCowan, said the company had paid the hacker and received a video of them appearing to delete the stolen data.
Cybersecurity experts caution that cybercriminals can backtrack on promises not to release data, and it’s impossible to verify that the hacker didn’t make backup copies.
As of Jan. 31, PowerSchool has finally begun contacting the families of the children whose data was stolen. The company is offering two years of free credit monitoring for every person affected by the data breach.
