A major data breach at PowerSchool, a company that helps schools track students’ information, has exposed the personal data of millions of American children. Experts believe this could be the largest breach of student information in U.S. history. PowerSchool’s Student Information System (SIS), widely used across K-12 schools, was one of the affected systems. The breach compromised sensitive data, including names, addresses, birthdates, and, in some cases, Social Security numbers, health records, and disciplinary history.
An investigation by cybersecurity firm CrowdStrike revealed that the breach resulted from weak security measures. Hackers accessed the data using a single employee’s password, which lacked two-factor authentication, one of the most basic cybersecurity protections. PowerSchool only became aware of the breach days later when the hacker contacted the company demanding payment. The company reportedly paid the ransom in exchange for a video showing the hacker deleting the stolen data, but experts caution that cybercriminals often retain copies of compromised information.
The breach has affected tens of millions of students, with the hacker claiming that 62 million records were accessed. While PowerSchool has not confirmed exact figures, it estimates that fewer than 25% of affected students had their Social Security numbers compromised. Some students’ information, including disabilities and special education plans, was also exposed. In Utah, students’ locker combinations and lunch account balances were stolen.
PowerSchool has contracts with multiple states, including Alabama, North Carolina, and South Carolina. Other states impacted include California, New York, Texas, and Illinois. In Georgia alone, more than 230,000 students may have been affected.
Cybersecurity experts criticize the lax security measures in the EdTech industry, noting that schools rely on companies like PowerSchool to protect sensitive student data. Despite PowerSchool’s claims of strong cybersecurity practices, the breach has raised concerns about the industry’s lack of oversight. The Future of Privacy Forum is reviewing whether PowerSchool violated its Student Privacy Pledge.
As investigations continue, school officials, parents, and cybersecurity experts are calling for stricter security protocols to protect students’ personal data.
