It’s only January, but the recent hack of U.S. edtech giant PowerSchool has the potential to be one of the biggest breaches of the year.
PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students in the United States, confirmed the breach in early January. The California-based company, which Bain Capital acquired for $5.6 billion in 2024, said at the time that hackers used compromised credentials to breach its customer support portal, allowing further access to the company’s school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource,” PowerSchool spokesperson Beth Keebler told TechCrunch.
PowerSchool has been open about certain aspects of the breach. Keebler told TechCrunch that the PowerSource portal, for example, did not support MFA at the time of the incident, while PowerSchool did. But a number of important questions remain unanswered.
This week, TechCrunch sent PowerSchool a list of outstanding questions about the incident, which has the potential to impact millions of students in the U.S. Keebler declined to answer our questions, saying that all updates related to the breach would be posted on the company’s SIS incident page, which hasn’t been updated since January 17.
PowerSchool told customers it would share an incident report from cybersecurity firm CrowdStrike, which the company hired to investigate the breach, on January 17. But several sources who work at schools impacted by the breach told TechCrunch that they have yet to receive it.
The company’s customers also have lots of unanswered questions, forcing those impacted by the breach to work together to investigate the hack.
Here are some of the questions that remain unanswered.
It’s not known how many schools, or students, are affected
TechCrunch has heard from schools affected by the PowerSchool breach that the impact could be “massive.” However, PowerSchool’s incident page makes no mention of the scale of the breach, and the company has repeatedly declined to say how many schools and individuals are affected.
In a statement sent to TechCrunch last week, Keebler said PowerSchool had “identified the schools and districts whose data was involved in this incident,” but would not be sharing the names of those involved.
However, communications from impacted school districts give a general idea of the size of the breach. The Toronto District School Board (TDSB), Canada’s largest school board that serves approximately 240,000 students each year, said this week that hackers may have accessed some 40 years’ worth of student data. Similarly, California’s Menlo Park City School District confirmed that hackers accessed information on all current students and staff — which respectively number around 2,700 students and 400 staff — as well as students and staff dating back to the start of the 2009-10 school year.
The scale of the data theft is also unknown. PowerSchool also hasn’t said how much data was accessed during the cyberattack, but in a communication shared with its customers earlier this month, seen by TechCrunch, the company confirmed that hackers stole “sensitive personal information” on students and teachers, including some students’ Social Security numbers, grades, demographics, and medical information. TechCrunch has also heard from multiple schools affected by the incident that “all” of their historical student and teacher data was accessed.
One person who works at an affected school district told TechCrunch that the stolen data includes highly sensitive student data, including information about parental access rights to their children, including restraining orders, and information about when certain students need to take their medications.
PowerSchool hasn’t said how much it paid the hackers responsible for the breach
PowerSchool told TechCrunch that the organization had taken “appropriate steps” to prevent the stolen data from being published. In the communication shared with customers, the company confirmed that it worked with a cyber-extortion incident response company to negotiate with the threat actors responsible for the breach.
This all but confirms that PowerSchool paid a ransom to the attackers that breached its systems. However, when asked by TechCrunch, the company refused to say how much it paid, nor how much the hackers demanded.
We don’t know what evidence PowerSchool received that the stolen data has been deleted
In a statement shared with TechCrunch earlier this month, PowerSchool’s Keebler said the organization “does not anticipate the data being shared or made public” and that it “believes the data has been deleted without any further replication or dissemination.”
However, the company has repeatedly declined to say what evidence it has received to suggest that the stolen data had been deleted. Early reports said the company received video proof, but PowerSchool wouldn’t confirm or deny when asked by TechCrunch.
Even then, proof of deletion is by no means a guarantee that the hackers are still not in possession of the data; the U.K.’s recent takedown of the LockBit ransomware gang unearthed evidence that the gang still had data belonging to victims who had paid a ransom demand.
One of the biggest unknowns about the PowerSchool cyberattack is who was responsible. The company has been in communication with the hackers but has refused to reveal their identities. CyberSteward, the Canadian incident response organization that PowerSchool worked with to negotiate, did not respond to TechCrunch’s questions.
Do you have more information about the PowerSchool data breach? We’d love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at [email protected].
Keep reading the article on Tech Crunch
Canada’s largest school board says hackers may have accessed some 40 years’ worth of student data during the recent PowerSchool breach.
In a letter sent to parents this week, the Toronto District School Board (TDSB) said that the data breach affected all students enrolled in the district between September 1985 and December 2024.
The school board, which serves approximately 240,000 students each year, said it stored historical student information in PowerSchool “to respond to requests for former student records.”
The compromised data includes students’ names, addresses, dates of birth, and phone numbers. More recent data from 2017, also taken in the breach, included contact information for parents and guardians, the board said.
TDSB said PowerSchool informed the board that the company received alleged confirmation from the hackers that the stolen data was deleted. PowerSchool has not commented on what confirmation it has received.
Keep reading the article on Tech Crunch
Hewlett-Packard Enterprise is investigating a data breach after a well-known hacker claimed to have stolen sensitive information from the company.
The hacker, who uses the alias “IntelBroker,” claims to have stolen a trove of data from HPE, the enterprise IT division of hardware giant HP.
In a post on a popular cybercrime forum on January 16, seen by TechCrunch, IntelBroker said the stolen data includes product source code, private GitHub repositories, as well as access keys to several HPE services, including APIs and platforms like WePay, GitHub and GitLab.
The hacker, who has previously claimed to have breached technology giants including AMD, Cisco and Nokia, also says they accessed HPE user data, including personally identifiable information related to past deliveries.
In a statement to TechCrunch, HPE spokesperson Laura von Pentz said, “HPE became aware on January 16 of claims being made by a group called IntelBroker that it was in possession of information belonging to HPE. HPE immediately activated our cyber response protocols, disabled related credentials, and launched an investigation to evaluate the validity of the claims.
“There is no operational impact to our business at this time, nor evidence that customer information is involved.”
When asked by TechCrunch, HPE declined to say how it was compromised. IntelBroker, who claims to be selling the data allegedly stolen from HPE, did not respond to TechCrunch’s questions.
Almost exactly a year ago, HPE confirmed that Midnight Blizzard, a Russia-linked hacking group, had compromised its cloud-based email environment. The company said hackers had “accessed and exfiltrated data” from a “small percentage” of mailboxes after “leveraging a compromised account to access internal HPE email boxes”
Keep reading the article on Tech Crunch