Cybercriminals spare no industry, targeting sectors like healthcare, insurance, automotive, and education. Healthcare has been a frequent target, with attacks like the Ascension breach last year and the CVR incident in late 2024. Now, the education technology giant PowerSchool has become the latest target, with records of millions of students and teachers stolen.
While the exact number of affected individuals remains unknown, the scale of the breach is alarming. PowerSchool serves 18,000 customers worldwide, including schools in the US and Canada, managing grading, attendance, and personal information for over 60 million K-12 students and teachers.
Enter the giveaway by signing up for my free newsletter.
How did hackers target PowerSchool
PowerSchool revealed a cybersecurity breach to its customers on Jan. 7, as reported by BleepingComputer. The company said it discovered the breach on Dec. 28, 2024, after customer data from its PowerSchool SIS platform was stolen through the PowerSource support portal.
PowerSchool SIS is a student information system used for managing grades, attendance, enrollment, and other student records. Hackers accessed the PowerSource portal using stolen credentials and used an “export data manager” tool to steal information.
The company stated this wasn’t a ransomware attack or a result of software flaws, but rather a straightforward network break-in. The company has hired a third-party cybersecurity firm to investigate the breach, figure out what happened, and determine who was affected.
UNDERSTANDING BRUSHING SCAMS AND HOW TO PROTECT YOURSELF
What data got stolen
The PowerSource portal includes a feature that allows PowerSchool engineers to access customer systems for support and troubleshooting. The attacker exploited this feature to export the PowerSchool SIS “Students” and “Teachers” database tables to a CSV file, which was then stolen.
PowerSchool confirmed that the stolen data primarily includes contact details like names and addresses. However, for some districts, the data may also include sensitive information such as Social Security numbers (SSNs), personally identifiable information (PII), medical records, and grades.
The company stated that customer support tickets, credentials, and forum data were not accessed or stolen during the breach. PowerSchool also emphasized that not all SIS customers were affected and expects only a subset of customers will need to notify those impacted.
“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” the developer told customers in a notice.
“We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”
PowerSchool stated that affected adults will be offered free credit monitoring, while minors will receive subscriptions to an unspecified identity protection service.
MASSIVE DATA BREACH EXPOSES 3 MILLION AMERICANS’ PERSONAL INFORMATION TO CYBERCRIMINALS
5 ways you can stay safe from PowerSchool data breach
The PowerSchool data breach has highlighted the importance of staying vigilant about your personal information. Here are five steps you can take to protect yourself:
1) Monitor your accounts regularly: Keep a close eye on your bank accounts, credit cards, and any online services linked to your personal information. Watch for unauthorized transactions or changes to your accounts that could signal misuse of your data.
2) Freeze your credit: If your Social Security number (SSN) or other sensitive details were compromised, consider placing a credit freeze with major credit bureaus like Equifax, Experian, and TransUnion. This prevents potential identity thieves from opening new accounts in your name.
3) Use identity protection services: Take advantage of any identity protection services offered by PowerSchool as part of their breach response. These services can alert you to suspicious activity and provide support if your identity is stolen.
One of the best parts of my #1 pick, Identity Guard, is that they have identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
Exclusive CyberGuy deal: 66% off Ultra Annual Plans: Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
4) Enable two-factor authentication (2FA): Wherever possible, enable 2FA for your online accounts. This adds an extra layer of security by requiring a second form of verification, such as a text code or app-generated token, to access your accounts.
5) Be aware of phishing links and use strong antivirus software: Cybercriminals often use phishing scams to exploit data breaches. Avoid clicking on suspicious links in emails or text messages, especially those claiming to be from PowerSchool or your school district.
The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
WINDOWS FLAW LETS HACKERS SNEAK INTO YOUR PC OVER WI-FI
Kurt’s key takeaway
You can blame hackers for this breach, but PowerSchool shares the responsibility for failing to adequately protect sensitive data. The company may also be in violation of data privacy agreements it signed with school districts, as well as federal and state laws designed to safeguard student privacy. What’s more concerning is that PowerSchool took nearly two weeks to notify its customers about the breach. Schools are now left scrambling to assess the full extent of the intrusion. This delay is not just irresponsible; it puts students, parents, and teachers at heightened risk of cyberattacks and identity theft.
Do you think companies like PowerSchool should face stricter regulations for handling sensitive data? Let us know in the comments below.
FOR MORE OF MY TIPS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.