What You Need to Know about the PowerSchool Data Breach
Table of Contents
- Published: Jan 29, 2025
- Last Updated: Jan 29, 2025
PowerSchool was founded in 1997 and is known for its expertise in providing cutting-edge education technology within the education community. It currently serves over 60 million students globally. The company has a robust intelligent system tailored to meet each student’s individual needs and serves educators in over 90 countries globally, including the United States. PowerSchool has its headquarters in Folsom.
Being an education software company with a large amount of private data and sensitive information, PowerSchool was recently targeted for a data breach in which the personal data of teachers and students was stolen. On December 28, 2024, PowerSchool notified certain Attorneys General Offices regarding a data breach incident involving the unauthorized extraction or transfer of information from the company’s Student Information System (SIS). The SIS is a platform the company uses to manage students’ enrollments, grades, records, attendance, and other activities.
According to multiple reports, over 62 million students from about 6,505 school districts in the United States, Canada, and a few other countries were impacted by the PowerSchool data breach. In response to the data breach, the education software company contracted third-party cybersecurity experts to investigate and mitigate the security incident. Investigations by PowerSchool reveal that the threat actor gained access to the company’s community-focused customer support portal known as PoweSource using compromised credentials and, afterward, exfiltrated the accessed data using an export data manager customer support tool.
PowerSchool has confirmed that data stolen from this security incident contains contact details, including names and addresses, of affected people. It also stressed that not all SIS customers were affected by the data breach. In other reports, grades, social security numbers, medical information, and personally identifiable information (PII), like names, email addresses, ethnicity, gender, addresses, and phone numbers, may also be included in the compromised data for some districts. A representative of the company has since clarified that customer credentials, tickets, or forum data were not accessed or exposed in the PowerSchool data breach.
When Was the PowerSchool Data Breach?
Although the PowerSchool data breach reportedly occurred between the 19th and 28th of December 2024, the company only became aware of the cybersecurity incident on December 28, 2024. However, the incident was not publicly disclosed until January 7, 2025. In an extortion demand, the hacker claimed they stole the personal data of 9.5 million teachers and 62.4 million students in the data security incident.
According to publication by PowerSchool, the information exfiltrated by the hacker for any given person varied across its customer base. In addition, schools and districts that do not utilize the company’s SIS were not affected by the data breach.
With the guidance of the cybersecurity experts engaged in investigating the incident, PowerSchool has been reasonably assured by the threat actor that the exposed data have been deleted and that there are no copies of such files anywhere. However, the company is still monitoring the dark web for possible data leaks in the future.
How to Check If Your Data Was Breached
As of late January 2025, PowerSchool is still making efforts to complete its investigation of the recent data breach. However, reports from the company show it is committed to keeping consumers informed about the incident by directly notifying students and educators whose data was involved. Generally, the notice received by each affected person will include a description of the type of personal data accessed by the hacker and the credit monitoring services and identity protection offered by PowerSchool.
You can check whether your data was breached in the PowerSchool data security incident by regularly reading status updates about the incident on the company’s security incident website, as the page will reveal when notices are sent to affected individuals. Alternatively, keep monitoring your email account for a potential influx of spam emails, which can indicate that your email address may have been compromised in the incident.
Furthermore, you can check if your information was breached in the PowerSchool cybersecurity incident using certain reliable online tools like Have I Been Pwned. In most cases, you only need to enter your name, email address, or year of birth to determine if any of your sensitive data has been compromised. However, it is important to ascertain the trustworthiness of such online tools before providing any personal information.
What to Do If Your Data Was Breached
If you think your data may have been compromised by the PowerSchool data breach, it is advised to take proactive measures to protect such information while waiting for notices by the company to affected individuals. The most important thing to do is to regularly monitor how the data might be used. For instance, check for any signs of identity theft using your SSN (social security number).
Furthermore, PowerSchool has revealed it will be offering affected individuals complimentary identity protection services in addition to 2 years of credit monitoring for adults. This is regardless of whether a person’s SSN was exfiltrated. If you receive notice from the company informing you that your data was breached by the incident, it is essential that you accept these offers to protect your data further.
You should also consider securing your online accounts, starting from the one specified in the breach notification, if your data was compromised in the PowerSchool data security incident. You can achieve this by updating your passwords and PINs (where applicable). Make sure to use unique passwords and PINs, and never reuse any credentials.
Another thing you can do is to lock or freeze your credit file, which typically limits access to your credit report. This will prevent creditors from gaining access to your credit, even for legitimate credit requests. Alternatively, you may want to consider initiating a fraud alert on your credit reports with all three crest bureaus. This will proactively notify any lender processing a credit application in your name to take additional steps to verify your identity before dealing.
Are There Any Lawsuits Because of the Data Breach?
Yes. As of late January 2025, at least 20 suits seeking class-action status have been filed in the U.S. District Court for the Eastern District of California against PowerSchool in the wake of the company’s recent data security incident. Each of these lawsuits was filed on behalf of a nationwide class of individuals whose sensitive information was breached in the incident.
Most of the lawsuits allege PoweSchool’s negligence during the cybersecurity incident, while a few others claim that the company failed to provide timely notice to affected individuals. Many of the lawsuits already filed against PowerSchool also claim the company lacks access control security measures and robust authentication to prevent hackers from stealing data.
Some of the lawsuits filed against PowerSchool as a result of the recent data breach are listed below:
- Tyler Baker, individually and on behalf of others similarly situated v. PowerSchool Holdings Inc, E.D Cal., No. 2:25 at 00040
- Sheilah Buack-Selton, and S.S., individually and on behalf of a class of similarly situated individuals v. PowerSchool Holdings Inc, E.D Cal., No. 2:25 at 00037
- Kimberly Kinney, individually and on behalf of others similarly situated v. PowerSchool Holdings Inc, E.D Cal., No. 2:25 at 00042
Can My PowerSchool Information Be Used for Identity Theft?
Yes. The PowerSchool data breach has triggered a heightened risk of identity theft, and anyone whose personally identifying information was exposed during the incident risks falling victim to identity theft. Generally, malicious actors may potentially use breached data, such as name, date of birth, social security number, phone number, and address, to impersonate you if your data was compromised by the breach.
In other instances, bad actors may sell exposed information on the dark web to other malicious actors who may end up applying for credit or new accounts in your name or even take over your accounts. Furthermore, such data may be used to file a fraudulent tax return or apply for certain government benefits in your name, including housing or employment.
What Can You Do to Protect Yourself Online?
Despite PowerSchool’s claims of its commitment to take all appropriate and reasonable countermeasures to ensure data confidentiality, the company’s system was breached, and data belonging to several millions of individuals was exposed. This strongly indicates that the security of your personal information primarily lies with you.
The following are some of the things you may do to protect yourself online:
- Enable two-factor authentication (2FA) across all your devices, including mobile phones and computers, to provide an additional level of security. This typically sends a prompt to verify your identity while trying to access your accounts.
- Always monitor your financial accounts and credit files and report any unusual activity/charges or unauthorized transactions to the appropriate authority. You should consider using a secure credit monitoring service to proactively monitor your credit file and notify you of any changes in your credit report.
- Install the latest antivirus software on your internet devices to keep them up to date. This will help detect, prevent, and mitigate cyber threats in real time.
- Use strong and unique characters when choosing passwords for your online accounts. Avoid using the same password for different accounts and avoid reusing previously used passwords.
- Beware of phishing attempts and messages that appear to be from legitimate sources. Such messages will urge you to act quickly on the instructions given. In many cases, they will request that you confirm certain confidential personal and financial information in an attempt to steal such data.
- Avoid sending sensitive data over unsecured public Wi-Fi networks. It is generally advisable to use your home network secured with a password when providing personal or financial information on any website or sharing it via email.
Use sites with educational resources like IDStrong to learn about cybersecurity. Information obtained from this site can empower you to safeguard yourself online.
