PowerSchool, a leading provider of cloud-based software used by schools to manage student information, recently fell victim to a cybersecurity incident that affected several school districts across North America. The cyberattack occurred between December 22 and December 28, 2024, and involved the unauthorized exportation of personal data from PowerSchool’s Student Information System (SIS) through its community-focused customer support portal, PowerSource.
Upon detecting the cyberattack on December 28, 2024, PowerSchool took immediate action by engaging cybersecurity experts to investigate the breach. While the breach exposed personal information stored in the SIS, PowerSchool confirmed that no evidence of malware or continued unauthorized activity was identified within its systems. Importantly, the breach did not disrupt any of PowerSchool’s services, and there were no reports of other products being affected.
The compromised information during the cyberattack included a variety of personal data, particularly impacting students and educators. This data breach potentially exposed names, contact details, dates of birth, Social Security numbers (SSNs), medical alerts, and other related information. The specific data compromised varied depending on the requirements of the school districts using PowerSchool. However, PowerSchool clarified that no financial or banking data, including credit card information, was involved in the breach.
In response to the cyberattack, PowerSchool has been proactive in providing support to affected schools, students, and educators. The company is also taking steps to strengthen its security infrastructure and prevent future breaches. One notable measure taken by PowerSchool is the offering of complimentary identity protection services and credit monitoring for all impacted students and educators. This initiative aims to safeguard the personal information of those affected by the breach.
School districts impacted by the cyberattack, such as the Toronto District School Board (TDSB), have provided updates to their communities regarding the breach. TDSB confirmed that data from students who attended the district between September 1, 1985, and December 28, 2024, was compromised. The exposed personal information included health card numbers, student IDs, medical information, and addresses. Regulatory authorities, including the Office of the Information and Privacy Commissioner of Ontario (IPC), have launched investigations into the matter.
The PowerSchool cyberattack underscores the importance of robust cybersecurity measures in schools to protect sensitive student and educator data. As educational institutions increasingly rely on digital platforms, it is crucial for schools to prioritize cybersecurity and implement stringent security protocols. By staying vigilant and taking proactive measures, schools can prevent future breaches and ensure the safety of personal information.