PowerSchool data breach: What parents and students need to know

A recent data breach involving PowerSchool has affected an estimated 62 million students and 10 million teachers. The cloud-based software solution provides tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance at more than 6,000 K-12 schools and districts across the United States and Canada.  

The breach has left parents and educators grappling with concerns over privacy and data security, exposing sensitive information that hackers are attempting to exploit on the dark web. Cybersecurity experts say that the breach could have significant impacts now and in the future.  

What happened?

On January 7th, PowerSchool revealed that a cyberattack struck its systems after a malicious hacker used stolen credentials to access the company’s customer support portal. According to reports, hackers downloaded a wide range of personal information, including names, addresses, Social Security numbers, grades, and possibly even health and medical records.  

PowerSchool also admitted that they paid a ransom to prevent the stolen data from being leaked privately, even receiving a video of the threat actor purporting to delete the data. While the company demonstrated some transparency in FAQs related to the breach, as of press time, they still have not provided specific numbers related to how many students and teachers were impacted by the breach.   

This has frustrated parents, teachers, and school administrators who have spoken publicly about the breach. Cybersecurity expert Dan Maldet, owner of CMIT Solutions of Downtown Columbus in Ohio, emphasized the potential severity of the breach. “I don’t think that just because they said [the data has been deleted] we should place much trust in that,” Maldet recently told Spectrum News 1. “We should still think that there’s a possibility that that data could get released or sold or get in the wrong hands.”  

What comes next?

PowerSchool has stated that the breach has been contained and continues to reiterate that all accessed data has been deleted. The company also added that, because individual school districts store their information in different ways, less than a quarter of impacted students had their Social Security number exposed in the breach. But for school districts hosting their own databases, PowerSchool’s data review has been more complicated, potentially leading to gaps in information. 

That’s why skepticism remains high among cybersecurity experts. The lack of multi-factor authentication (MFA) on the platform’s systems has been identified as a key vulnerability. MFA can significantly reduce the likelihood of such an attack.  

However, PowerSchool did announce that they would offer two years of complimentary identity protection services and two years of complimentary credit monitoring services for all applicable students and educators whose information was involved, regardless of whether an individual’s Social Security number was stolen.  

 The company also said they would make notifications on customers’ behalf to state attorneys general offices, educators, students, parents, and other impacted stakeholders. In light of the breach, CMIT Solutions and other cybersecurity experts recommend that families take their own steps to mitigate risks, as well. These include the following suggestions:   

• Update login credentials. Parents and students should immediately update their PowerSchool account passwords, along with credentials for any other accounts that use the same login. This simple step can prevent hackers from accessing additional platforms.
  
• Enable credit monitoring. While younger students may not yet have credit histories, parents should monitor credit activity to ensure that compromised personal information isn’t used fraudulently. Credit freezes are an additional protective measure worth considering.
  
• Stay vigilant for phishing attempts. Hackers may attempt to use stolen information from the PowerSchool breach to craft convincing phishing emails—perhaps even referencing the breach itself, or offering follow-up services. Parents and students should be cautious of any unsolicited messages requesting sensitive information.
  
• Communicate with schools. Parents should reach out to their school districts to inquire about any additional steps being taken to safeguard data and prevent future breaches.

Other big-picture recommendations.

Beyond individual steps like those mentioned above, CMIT Solutions also recommends that institutions take a more active role in improving cybersecurity. For businesses big and small, in the education industry or elsewhere, this includes regularly updating security protocols, conducting routine cybersecurity audits, significantly enhancing data protection, and better protecting employee login credentials to prevent unauthorized access. 

While the full scope of the PowerSchool breach is still being assessed, it’s a stark reminder of the vulnerabilities inherent in managing sensitive data. Schools are supposed to be safe places for kids and teachers, but cybersecurity risks continue to intrude on hallways and classrooms. 

 For parents and students, vigilance is essential to navigate the aftermath of this significant cybersecurity incident. If you have questions about the PowerSchool breach or want to adopt stronger protections for your information, CMIT Solutions is here to help. Contact us today for more information.