Over 70 million PowerSchool records stolen in massive educational data breach
TL;DR: Parents, students, and educators across North America are reeling after what is shaping up to be the largest data breach of the new year. Hackers infiltrated a cloud-based software provider used by K-12 schools, compromising the sensitive information of millions of students and school personnel.
Based in Folsom, California, PowerSchool serves 16,000 schools globally and manages data for over 60 million students. On January 7, the company confirmed that attackers had accessed and exfiltrated personal data stored in its Student Information System.
The stolen data includes Social Security numbers, medical records, and home addresses. A report by Bleeping Computer revealed an extortion note from the attackers claiming they had stolen the records of 62.4 million students and 9.5 million teachers.
Among the hardest hit is the Toronto District School Board in Canada, which disclosed Monday that information on all students enrolled between 1985 and 2024 was exposed, equating to 1.4 million students and over 90,000 teachers. The data included names, dates of birth, health card numbers, home addresses, disciplinary notes, and even residency status. The district noted that the scope of the breach varied depending on the enrollment period but affected every student within that timeframe.
| District Name | Students Impacted | Teachers Impacted |
|---|---|---|
| Toronto District School Board | 1,484,733 | 90,023 |
| Peel District School Board | 943,082 | 39,693 |
| Dallas Independent School District | 787,212 | 79,718 |
| Calgary Board of Education | 593,518 | 133,677 |
| Memphis-Shelby County School | 485,087 | 54,501 |
| San Diego Unified | 472,278 | Possibly not stolen |
| Charlotte-Mecklenburg Schools | 467,974 | 57,486 |
| Wake County Public School | 461,005 | 92,783 |
California’s Menlo Park City School District also reported significant fallout. All current students, staff, and anyone enrolled or employed since the 2009 – 2010 school year were impacted. This breach includes nearly 10,700 students and many former staff members.
PowerSchool stated it had communicated with the hackers, who allegedly said they would not release the data, supported by a video of its purported deletion. However, experts warn that such claims are impossible to verify and that the threat actors could still post the stolen information on the dark web. Several school districts have included these assurances in their breach notifications despite the dubious deletion claims from the attackers.
PowerSchool has not confirmed the number of affected individuals or whether it paid a ransom. However, it has begun offering those impacted a free two-year credit monitoring package. The breach illustrates the vulnerabilities of online education systems. It’s not just banks, large corporations, and social media platforms that hackers target.
