The hack of education technology giant PowerSchool could be the largest breach of American children’s personal information — and it could have been prevented with a couple of basic security measures, like multifactor authentication.

The breach appears to have exposed the data of tens of millions of American children. While the exact numbers remain unclear, the hacker has claimed that the figure is 62 million.

PowerSchool notified its customers of a cybersecurity breach on Jan. 7. The company discovered the breach on Dec. 28 and said customer data from its PowerSchool SIS platform was stolen via the PowerSource support portal.

PowerSchool is a leading K-12 educational technology provider that serves 18,000 customers globally, including schools across the US and Canada. It manages grading, attendance, and personal information for more than 60 million K-12 students and teachers.

PowerSchool SIS is a student information system (SIS) that manages student records, grades, attendance, enrollment, and other related data.
“As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024 PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource,” the notification reads.

An investigation into the incident revealed the threat actor gained access to the portal using compromised credentials and stole data through an “export data manager” customer support tool.

“The unauthorized party was able to use a compromised credential to access one of our community-focused customer support portals called PowerSource,” PowerSchool said in a statement. “PowerSource contains a maintenance access tool that allows PowerSchool engineers to access Customer SIS instances for ongoing support and to troubleshoot performance issues.”

The compromised data primarily includes contact information such as names and addresses. In certain instances, more sensitive details like Social Security numbers, medical records, and academic grades were also exposed.

PowerSchool confirmed that while this was not a ransomware attack, they did pay a ransom to prevent the data from being released.

“We recognize the significance of this incident and are deeply regretful that it occurred,” a PowerSchool spokesperson said in a statement. “PowerSchool has significantly invested in its cybersecurity program, culture, and talent over the years — this has been a diligent and continuous area of focus and one the Company plans to continue to invest in.”