A cybersecurity breach at PowerSchool, a leading education software company, has compromised sensitive student and teacher information across K-12 school districts in the United States and Canada. The breach, first detected on December 28, 2024, resulted from hackers infiltrating PowerSchool’s customer support portal, PowerSource, using stolen credentials.

From there, they gained access to the company’s Student Information System (SIS), which stores records on students and teachers. The data stolen includes names, addresses, Social Security numbers, medical details, and grades.

The company explained that hackers extracted two key database tables labeled “Students” and “Teachers.” PowerSchool has not disclosed the total number of individuals impacted but stated that only a subset of customers will require notifications.

One of the affected districts is Walker County Schools in Georgia. After receiving an email alert from PowerSchool, the district informed parents and staff. Superintendent Damon Raines told Local3News that the breach had affected families and educators in the district.

While PowerSchool has stressed that its other products were not impacted and that services remain operational, concerns have been raised about how the company handled the breach. According to The Register, one school CTO criticized PowerSchool for taking nearly two weeks to notify affected districts. They also noted that the company may have violated its data privacy agreements with school districts and could face legal consequences.

PowerSchool has taken several steps to address the situation, including deactivating the compromised credentials, resetting passwords, and strengthening access controls. The company also engaged cybersecurity firm CrowdStrike to investigate the attack.

BleepingComputer reported that PowerSchool confirmed it paid an undisclosed ransom to prevent the stolen data from being leaked. The company worked with CyberSteward, a firm specializing in cyber-extortion negotiations, and claimed to have received assurances that the data was deleted. Despite these claims, cybersecurity experts caution that there is no guarantee the hackers did delete the data, and it’s still possible it will be used or sold in the future.

Meanwhile, PowerSchool has pledged to provide credit monitoring for affected adults and identity protection services for impacted minors. The company also plans to release a full cybersecurity report by January 17, 2025, which will be shared with affected school districts.