Restoring trust in the system: Lessons learned from the PowerSchool data breach

The incident should be a wake-up call for administrators, teachers, parents, and vendors to ask tough questions about what data is collected, why it’s being stored, and how it is being protected.


Jason Mc Kenna Headshot

Shutterstock 2376207999I sat down to have lunch with a local district administrator in early January, and he was clearly stressed. I thought the normal disruptions of returning to school after the holiday break were the cause, but he quickly corrected me, saying he was dealing with the fallout from the PowerSchool SIS data breach across the U.S. and Canada.

PowerSchool is a leading cloud-based education technology platform providing K-12 schools with tools to manage student information, streamline administrative tasks, and enhance teaching and learning, offering features such as gradebook management, attendance tracking, and communication tools. This system offers a complete view of student progress, encompassing grades, attendance, assessments, and other vital data, fostering collaboration among teachers, students, and parents for better academic results; you can see every detail, from a student’s participation in class to their specific strengths and challenges.

Used by more than 16,000 customers to support more than 50 million students in the U.S., PowerSchool’s systems hold a vast repository of sensitive information, including student records, teacher data, and parent contact details. 

On December 28, 2024, PowerSchool detected a data breach of its systems, although unauthorized access probably started on December 19. The breach exposed millions of records, not only revealing personal information but also highlighting critical weaknesses in educational data security.

This regrettable incident offers schools a valuable lesson about the need to strengthen their cybersecurity proactively. As digital learning continues to expand, safeguarding sensitive information is no longer just an IT issue—it’s a fundamental requirement for maintaining trust in education.

What data was compromised?

Hackers gained unauthorized access to PowerSchool’s systems by exploiting compromised credentials, which were reportedly available on the dark web. Using a data export tool, the attackers extracted information from PowerSchool’s SIS tables.

The breach exposed sensitive data, including:

  • Names, addresses, and contact information of students, parents, and teachers.
  • In some cases, Social Security numbers (SSNs), medical records, and academic data.

Although not all districts stored SSNs or medical data, some did store this information from both staff members and students. The full scope of the breach remains unclear, but it is one of the most significant cybersecurity incidents in the history of K-12 education.

PowerSchool’s response

After discovering the breach, PowerSchool took several immediate steps to mitigate the impact and secure its systems:

  • Investigative Measures: PowerSchool engaged third-party cybersecurity firms, including CrowdStrike, to analyze the breach and identify vulnerabilities.
  • Access Controls: The company deactivated compromised credentials, reset passwords, and implemented stricter access controls to prevent further unauthorized access.
  • Support for Victims: PowerSchool is offering affected individuals credit monitoring and identity protection services. Adults are receiving standard credit monitoring, while minors are being enrolled in specialized identity protection programs.
  • Ransom Payment: In a controversial move, PowerSchool reportedly paid a ransom to prevent the stolen data from being released or duplicated. The attackers then provided video evidence of data deletion, but that doesn’t eliminate the ethical and legal questions surrounding ransom payments in data breaches.

Implications for K-12 education leaders

This incident highlighted some of the systemic vulnerabilities in K-12 cybersecurity, and offers three critical lessons for district leaders:

  1. Credential management is non-negotiable. The hackers exploited weak credential management, emphasizing the need for robust authentication protocols. Multi-factor authentication (MFA), regular password audits, and employee cybersecurity training could have mitigated this risk. Relying on single-factor authentication is no longer acceptable.
  2. Data governance needs improvement. Many districts store sensitive data, such as SSNs and medical records, unnecessarily. Schools must implement data minimization policies to reduce the amount of information stored in their systems. By limiting the exposure of sensitive data, breaches will have less catastrophic consequences.
  3. We need to hold vendors more accountable. Edtech providers like PowerSchool hold vast amounts of sensitive data, making them high-value targets for cybercriminals. This incident demonstrates the need for stricter security standards, regular independent audits, and greater transparency regarding data storage and protection.

Restoring trust

The PowerSchool data breach is a stark reminder of the stakes involved in safeguarding student and educator information. As schools continue to adopt digital tools, cybersecurity must strengthen in tandem. This is not just about protecting data—it’s about maintaining trust in an increasingly interconnected education system.

For parents, teachers, and administrators, this should be a wake-up call to ask tough questions about how student data is being protected, and to adopt a sense of urgency about cybersecurity. Schools must rethink what data they collect and why. By holding onto sensitive personal information that may not be necessary, are we prioritizing convenience over security?

By adopting data minimization policies and limiting the storage of non-essential information, schools can significantly reduce the risks and consequences of future breaches. For vendors like PowerSchool, it’s an opportunity to lead by example.

The time to act is now. Having robust cybersecurity in education is not optional—it’s essential.

Jason McKenna is V.P. of Global Educational Strategy for VEX Robotics and author of What STEM Can Do for Your Classroom: Improving Student Problem Solving, Collaboration, and Engagement, Grade K-6. His work specializes in curriculum development, global educational strategy, and engaging with educators and policymakers worldwide. For more of his insights, subscribe to his newsletter.

Page 1 of 4
Next Page