Over 70 million PowerSchool records stolen in massive educational data breach

Cal Jeffrey

Posts: 4,595   +1,682
Staff member
TL;DR: Parents, students, and educators across North America are reeling after what is shaping up to be the largest data breach of the new year. Hackers infiltrated a cloud-based software provider used by K-12 schools, compromising the sensitive information of millions of students and school personnel.

Based in Folsom, California, PowerSchool serves 16,000 schools globally and manages data for over 60 million students. On January 7, the company confirmed that attackers had accessed and exfiltrated personal data stored in its Student Information System.

The stolen data includes Social Security numbers, medical records, and home addresses. A report by Bleeping Computer revealed an extortion note from the attackers claiming they had stolen the records of 62.4 million students and 9.5 million teachers.

Among the hardest hit is the Toronto District School Board in Canada, which disclosed Monday that information on all students enrolled between 1985 and 2024 was exposed, equating to 1.4 million students and over 90,000 teachers. The data included names, dates of birth, health card numbers, home addresses, disciplinary notes, and even residency status. The district noted that the scope of the breach varied depending on the enrollment period but affected every student within that timeframe.

District Name Students Impacted Teachers Impacted
Toronto District School Board 1,484,733 90,023
Peel District School Board 943,082 39,693
Dallas Independent School District 787,212 79,718
Calgary Board of Education 593,518 133,677
Memphis-Shelby County School 485,087 54,501
San Diego Unified 472,278 Possibly not stolen
Charlotte-Mecklenburg Schools 467,974 57,486
Wake County Public School 461,005 92,783

California's Menlo Park City School District also reported significant fallout. All current students, staff, and anyone enrolled or employed since the 2009 – 2010 school year were impacted. This breach includes nearly 10,700 students and many former staff members.

PowerSchool stated it had communicated with the hackers, who allegedly said they would not release the data, supported by a video of its purported deletion. However, experts warn that such claims are impossible to verify and that the threat actors could still post the stolen information on the dark web. Several school districts have included these assurances in their breach notifications despite the dubious deletion claims from the attackers.

PowerSchool has not confirmed the number of affected individuals or whether it paid a ransom. However, it has begun offering those impacted a free two-year credit monitoring package. The breach illustrates the vulnerabilities of online education systems. It's not just banks, large corporations, and social media platforms that hackers target.

Permalink to story:

 
I don't think communicating "the hackers said they would delete it" to the affected individuals instills confidence. Makes me question the competency of the leadership managing the incident.
 
"Oh sorry we failed to protect every detail of your life from hackers. Here's a promotional offer from a company who collects more of your data."

It should be fairly obvious that handing out offers for credit monitoring is an extremely low cost method, widely used for that reason, that has sadly become the only thing you'll eventually get for giving out your data once it's inevitably stolen because the reality is... if they actually gave a crap it would have never been stolen.
 
I work for the TDSB and was given this email:
_______________________
Dear Staff,

Further to the information shared on January 8, 2025, we are writing with an update on the cyber incident involving PowerSchool’s Student Information System – the application used by TDSB and many school boards across North America to store certain student information.

If you were a staff member with TDSB between January 1, 2006 and December 28, 2024 and fall into the categories below, this notification applies to you. Please note that we will also be posting this letter on our website to notify TDSB’s former staff members who may be affected.

What Happened?

As you may recall, on Tuesday, January 7, 2025, PowerSchool notified TDSB and other school boards in Ontario and across North America that a PowerSchool system had experienced a data breach between December 22-28, 2024. TDSB’s cybersecurity team promptly activated our response plan, taking immediate steps to ensure that our critical systems remain operational. TDSB can confirm that our environment is secure, and that there is no ongoing unauthorized access to any data, either stored in PowerSchool’s Student Information System or elsewhere.

Who was Impacted?

We are contacting all current staff members at this time, however only certain staff members who fall within the following categories are impacted by this incident:

Principals and Vice-Principals
Teachers
Classroom support staff (eg. Educational Assistants, Dedicated Early Childhood Educators, Child and Youth Workers, Special Needs Assistants)
Office Staff (Office Administrators, Assistants, Secretaries)
Guidance Counsellors
Superintendents
Administrative Liaisons

Note that School-Based Safety Monitors, Caretakers and Lunchroom Supervisors were not impacted.

What Information was Impacted?

While our investigation with PowerSchool continues, we have now confirmed that some staff information stored in PowerSchool’s Student Information System may have been accessed and acquired by an unauthorized user. The information includes the following:

First, Middle & Last Names
Employee Number
TDSB Email Address

In addition to this information, a very limited number (approximately 350) of staff members’ personal phone number or home address was stored in PowerSchool’s Student Information System. Current staff members who are affected will receive a separate notification advising that your personal phone number or home address was impacted.

To be clear, TDSB does not store any Social Insurance Numbers, financial or banking information in the PowerSchool Student Information System, so that information was not affected in any way.

PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online. Nevertheless, TDSB continues to take this incident very seriously, and is working with PowerSchool to ensure an incident like this does not happen again in the future.

This breach has been reported to the Office of the Information and Privacy Commissioner of Ontario (the IPC) and an investigation file has been opened. While you are entitled to file a complaint, the IPC has advised that it is not necessary as they are already investigating the matter. You can visit the IPC’s website at www.ipc.on.ca.

Where Can I Find the Latest Information?

We will continue to provide additional updates as we receive them. Information on this evolving situation is available here on the TDSB’s website. We also recognize that you may have questions about what has occurred. Should you have any questions, please contact [email protected].

Sincerely,

Stacey Zucker

Interim Director of Education
________________________

As you can see, there are some dubious claims made...

By the way - this was just posted a few minutes ago as well...
 
Last edited:
And, you can bet they make the end users jump through hoops just to log on. Yet, this company and almost all of them cannot even protect themselves...
 
Back