SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

Data breach hitting PowerSchool looks very, very bad [arstechnica.com]:

Text settings

Parents, students, teachers, and administrators throughout North America are smarting from what could be the biggest data breach of 2025: an intrusion into the network of a cloud-based service storing detailed data of millions of pupils and school personnel.

The hack, which came to light earlier this month, hit PowerSchool, a Folsom, California, firm that provides cloud-based software to some 16,000 K–12 schools worldwide. The schools serve 60 million students and employ an unknown number of teachers. Besides providing software for administration, grades, and other functions, PowerSchool stores personal data for students and teachers, with much of that data including Social Security numbers, medical information, and home addresses.

On January 7, PowerSchool revealed [powerschool.com] that it had experienced a network intrusion two weeks earlier that resulted in the “unauthorized exportation of personal information” customers stored in PowerSchool’s Student Information System (SIS) through PowerSource, a customer support portal. Information stolen included individuals’ names, contact information, dates of birth, medical alert information, Social Security Numbers, and unspecified “other related information.”

Since then, schools throughout the US and Canada have reported the devastating fallout. On Monday, for instance, the Toronto District School Board notified [tdsb.on.ca] parents, students, and former students that the breach exposed sensitive information of all students in the district between 1985 and 2024. Data stolen varied by the years students were enrolled, but the stolen info included:

• First, middle, and last names
• Date of birth
• Gender
• Health card number
• Grade level and school information
• Start/end date as a student
• Ontario Education Number
• EQAO accommodation information
• Medical information (i.e., allergies, conditions, injuries)
• Home addresses
• Home phone numbers
• TDSB student number
• TDSB email address
• First Nations, Métis, and Inuit information
• Residency status
• Principal/vice principal notes (including discipline notes)

Last week, California's Menlo Park City School District said [mpcsd.org] stolen information belonged to all current students and staff, all students enrolled since the start of the 2009–2010 school year, and many staff members who worked at the school since the start of the 2009–2010 school year.

“This includes students who may have been enrolled only for a short while before transferring out and staff who worked for MPCSD only briefly before leaving for whatever reason,” last week’s notice stated. The total number of students affected is 10,662. The notice went on to say that California law requires public schools to store student data in perpetuity.

PowerSchool has said that it has been in contact with the attackers and received assurances they won’t release it publicly. Bleeping Computer reported [bleepingcomputer.com] that the assurances were based on a video showing the threat actor deleting the data. PowerSchool has yet to confirm that account. Even if the account is true, there’s no way a video can prove all copies of the data have been destroyed. Despite this, school districts have passed those assurances on in their disclosure notices.

Bleeping Computer on Wednesday also reported [bleepingcomputer.com] that an extortion note the attacker sent to PowerSchool claimed that the personal data of 62.4 million students and 9.5 million teachers was swept up in the breach. PowerSchool said it’s offering two years of free credit monitoring to all those affected.

PowerSchool has yet to disclose the number of individuals affected or confirm whether it paid a ransom.

Original Submission