The personal information of some students and teachers in school districts across the United States was exposed in a data breach last month of a portal of PowerSchool, the largest education software provider in the United States, serving 16,000 school districts and 50 million students across the country.

The attack on the company’s PowerSource portal, first detected December 28, 2024, has sent local school districts scrambling to address the effects on their students and staffs and puts another spotlight on the growing cyberthreats to K-12 school systems, which have become a popular target of bad actors.

In statements to media outlets, PowerSchool officials would not comment on how many students, teachers, or school districts were affected by the incident. The exposed information includes such information as the names of addresses of teachers, students, and their families.

According to a statement released by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) – a state-level site for sharing cybersecurity information – said the stolen information in some instances also could include Social Security numbers, medical information, and grades.

In a letter sent to affected school districts that was signed by PowerSchool CEO Hardeep Gulati as well as the company’s CISO and chief customer officer, PowerSchool said the bad actors accessed the company’s Student Information System (SIS) using compromised credential, adding that “the unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.”

Sensitive Data Stolen

The NJCCIC statement went furthers, saying that “the threat actor used compromised credentials to access the PowerSource maintenance access tool, which allows IT professionals to access customer SIS instances for support and troubleshooting. The threat actor then exported the sensitive data via a CSV file.”

PowerSource is PowerSchool’s customer support portal for the vendor’s products that is available to all member school districts. According the company, PowerSource has 429,736 users.

While PowerSchool detected the malicious activity December 28, some school districts reported such problems as early as December 22 resulting from an IP address geolocated to Ukraine, NJCCIC reported.

“Some [districts] also noted that the maintenance user was identified as ‘200A0’ in the ps-log-audit files,” the agency wrote. “This maintenance user is linked to the PowerSource ‘export data manager’ customer support tool that the threat actor used to exfiltrate data.”

Not Ransomware, But a Ransom Paid

In addition, while PowerSchool executives had said the attack wasn’t a traditional ransomware attack, the organization did pay a ransom to ensure the stolen data was released public, the New Jersey agency wrote. They were shown a video that appeared to confirm that all the copies of the data were deleted after the ransom was paid, but the NJCCIC warned that there are no guarantee the hackers were being truthful.

“As a precaution, PowerSchool is monitoring the dark web for any potential leaks,” the agency wrote.

In their letter, the PowerSchool executives said only that they “have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.”

Trying to Allay Fears

They sought to further calm fears by stressing that once the hack was detected, the company instituted cybersecurity response protocols, put a response team in place that included PowerSchool leadership and third-party cybersecurity experts, and notified law enforcement. They also deactivated the compromised credential, restricted access to the affected portal, reset the password, and tightened password and access for PowerSource accounts.

In addition, PowerSchool will provide credit monitoring to adults whose information was compromised and identity protection services to affected minors.

“The incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment,” they wrote. “PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.”

K-12 Schools a Growing Cyberthreat Target

However, officials with affected school districts, such as Westford, Massachusetts, Bozeman, Montana, and Indianapolis, Indiana, are parents and teachers about the breach.

Public schools are seeing the number of cyberattacks rise, with more than 1,600 cyber incidents against K-12 school districts in the United States between 2016 and 2022, with the U.S. Government Accountability saying school district lose between $50,000 and $1 million in data breaches.

“Adversaries have targeted our … K-12 education system due to the extensive amounts of personal and financial data they maintain about our kids, teachers, school staff and records on the schools themselves,” CISA wrote in a report. “Yet, most educational districts lack the resources to put in place a comprehensive cybersecurity program. So many of our schools across the nation are, what we call, ‘target rich, cyber poor’ in that they are often a frequent target for ransomware and other cyberattacks due to the extensive data kept on school networks, often without the proper protection.”

CISA and other federal agencies, including the U.S. Education Department, have worked with school districts to strengthen their protections.