Share your experience

Help others make the right choice.

Over 60 Million Students' Data Potentially Stolen: What You Need to Know

Data security breaches are an increasing concern in today’s digital world, and education technology is no exception. PowerSchool, a leading provider of cloud-based education software for K-12 schools, recently suffered a significant data breach that could potentially expose sensitive information of millions of students and educators. Here, we explore the details of the breach, what information was exposed, and what is being done to address the situation.

What Happened?

PowerSchool first became aware of the breach on December 28, 2024. Hackers reportedly gained access to the company’s PowerSource support portal by using compromised credentials. Through this unauthorized access, they exploited the “export data manager” feature in PowerSchool’s Student Information System (SIS) to steal customer data. This software is widely used by schools to manage grades, attendance, enrollment, and other records.

According to BleepingComputer, a cybersecurity news outlet, the hackers demanded a ransom and claimed to have deleted the stolen data after receiving payment. PowerSchool has neither confirmed nor denied whether a ransom was paid. On January 7, 2025, the company notified affected schools and districts of the breach, clarifying that those not using PowerSchool SIS were unaffected.

Scope of the Breach

The scale of this cyberattack is massive. Reports indicate that data belonging to over 62 million students and 9.5 million teachers across 6,500 school districts worldwide may have been compromised. PowerSchool’s website states it serves over 60 million students globally, highlighting the potential severity of the incident.

Several large school districts were reportedly affected, including:

  • Memphis-Shelby School District, Tennessee: Data of 485,000 students and 54,000 teachers may have been exposed.

  • San Diego Unified School District, California: Families were notified of potential data exposure.

  • Charlotte-Mecklenburg Schools and Wake County Public School System, North Carolina: The breach included Social Security numbers, street addresses, and other sensitive information.

What Information Was Exposed?

The type of data accessed varies by district due to differing policies, but the stolen information primarily includes:

  • Student Information: Names, addresses, dates of birth, and enrollment details.

  • Medical Alerts: Limited information, such as allergies.

  • Staff Data: Names, email addresses, and Social Security numbers in some cases.

In Lake Forest, Illinois, public notices revealed that student information such as bus stop codes, physician details, and the existence of individualized education plans (IEPs) was compromised. However, the specifics of the IEPs were not included.

In contrast, in North Carolina, approximately 312,000 teachers’ Social Security numbers were exposed. PowerSchool maintains that there is no evidence of credit card or banking information being compromised.

Impact on Affected Individuals

The potential consequences of such a breach are far-reaching. Stolen Social Security numbers and personal details can be used for identity theft and fraud. For parents and educators, the breach raises serious concerns about data privacy and the security of essential school systems. “We don’t get a choice,” one parent remarked, noting that PowerSchool accounts are mandatory for school enrollment in some districts.

What’s Being Done?

PowerSchool has assured its customers that the breach does not pose an ongoing risk. The company has stated that there is no evidence of malware or continued unauthorized access. Investigations are ongoing, and PowerSchool is working to provide resources to those affected.

To mitigate the impact of the breach, PowerSchool has announced the following measures:

  • Notification Emails: Parents and guardians will be informed if their student’s data was exposed.

  • Identity Protection Services: Two years of free credit monitoring and identity protection will be offered to affected students and educators.

A spokesperson for the company emphasized its commitment to learning from this incident and strengthening its systems to prevent future breaches. Updates and further information are available on a public website set up by PowerSchool.

Lessons Learned

This breach underscores the critical importance of cybersecurity in education technology. Schools and districts must work closely with service providers to ensure robust security measures are in place. Regular audits, improved authentication processes, and clear communication during incidents are essential to maintaining trust in these systems.

For individuals affected by the breach, vigilance is key. Monitoring credit reports, using identity theft protection tools, and being cautious with unsolicited communications are steps that can help minimize risks.

The PowerSchool data breach is a stark reminder of the vulnerabilities inherent in managing vast amounts of sensitive information digitally. With over 60 million students potentially impacted, the implications are profound. As investigations continue and affected individuals take steps to protect themselves, it is crucial for education technology firms to prioritize security and resilience moving forward.