Edtech big PowerSchool has warned clients that hackers accessed its clients’ extremely delicate data — together with pupil Social Security numbers, grades, and medical data — throughout a current information breach, TechCrunch has discovered.
In an FAQ obtained by TechCrunch that was despatched to affected clients this week, PowerSchool says that “delicate private data” was accessed throughout its December breach, which was confirmed by PowerSchool on Wednesday.
The hackers broke into PowerSchool’s inside buyer assist portal utilizing a stolen credential, the corporate beforehand mentioned. The breach impacts customers of PowerSchool’s college data system, which colleges use to handle pupil information, grades, attendance, and enrollment.
PowerSchool mentioned in its FAQ that whereas the stolen information primarily consists of contact particulars, equivalent to people’ names and addresses, the hackers had been additionally capable of entry Social Security numbers, some medical and grade data, and different unspecified personally identifiable data belonging to college students and lecturers.
The California-based schooling tech agency, the biggest supplier of cloud-based schooling software program for Ok-12 schooling within the United States, says the non-public data of oldsters and guardians, together with names, telephone numbers, and electronic mail addresses, was additionally doubtlessly compromised in some college districts. The firm mentioned the kinds of stolen information will differ by buyer.
PowerSchool spokesperson Beth Keebler confirmed the legitimacy of the knowledge within the FAQ on Thursday however declined to say what number of people are affected by the breach. PowerSchool says its software program is utilized by over 16,000 clients to assist greater than 50 million college students throughout North America.
In the FAQ, PowerSchool confirmed that the safety incident was not ransomware in nature, however famous that it labored with CyberSteward, a Canadian group that gives cyber-extortion incident response companies, to barter with the menace actors chargeable for the breach.
This confirms earlier reporting that PowerSchool was the goal of an extortion-only assault and that it paid a monetary sum to forestall the hackers from publishing the stolen information.
PowerSchool declined to say what proof it needed to counsel that the stolen information had been deleted, when requested by TechCrunch on Thursday. CyberSteward didn’t reply to TechCrunch’s questions.
“PowerSchool has taken all acceptable steps to forestall the info concerned from additional unauthorized misuse and doesn’t anticipate the info being shared or made public,” Keebler mentioned. “PowerSchool believes the info has been deleted with none additional replication or dissemination.”
PowerSchool was acquired by Bain Capital in 2024 in a $5.6 billion deal. When reached by TechCrunch this week, Bain Capital spokesperson Rachel Colson didn’t present remark.
Do you may have extra details about the PowerSchool information breach? We’d love to listen to from you. From a non-work system, you’ll be able to contact Carly Page securely on Signal at +44 1536 853968 or by way of electronic mail at carly.web page@techcrunch.com.
