PowerSchool hack exposes personal data of millions of kids, raises cybersecurity questions

Schools in North Carolina and nationwide are doing damage control after a “cybersecurity incident” compromised the personal information of millions of K-12 students and teachers.

PowerSchool, a cloud-based education software provider for K-12 schools, notified customers Jan. 7 about the hacking, according to TechCrunch.

“PowerSchool said it did not experience a ransomware attack, but that the company was extorted into paying a financial sum to prevent the hackers from leaking the stolen data,” Carly Page wrote. “PowerSchool told the publication that names and addresses were exposed in the breach, but that the information may also include Social Security numbers, medical information, grades, and other personally identifiable information. PowerSchool did not say how much the company paid.” 

‘A global incident’ 

The North Carolina Department of Public Instruction is monitoring the situation but will not take any technical action “because we have proven that the secure systems are now in place,” said Vanessa Wrenn, the department’s chief information officer. 

“We are currently analyzing the entire North Carolina impact, and we will get a better understanding as this data becomes available to us,” she reported in a Jan. 8 briefing to the State Board of Education. 

“I want to stress this one point: no actions by our schools or no actions by DPI could have prevented this incident from happening. As a matter of fact, this is a global incident.” 

PowerSchool and law enforcement are working together to search the Internet and dark web for any of the compromised data, which PowerSchool says it has secured and deleted, according to Wrenn. 

“We take student and teacher data privacy very seriously, and we’ll continue to provide supports and updates as they become available.” 

As previously reported by The Lion, cybercriminals have increased attacks on public schools to obtain students’ personal data for taking out loans, which can devastate future credit scores. 

“As it turns out, the identity information of children is actually more valuable to [cybercriminals] than that of adults,” said Doug Levin, director of K12 Security Information eXchange. 

Cyberattacks have affected an estimated 87% of educational institutions, and 80% of school IT professionals have reported being hit by ransomware in a year. 

Analysts point to fake emails, as well as insecure devices, as common ways hackers can exploit school security practices to phish educators and students. 

PowerSchool has been sued by a former schoolteacher, who argues the company illegally sold student data without authorized consent to over 100 partners. The software provider has denied the allegations.