(NewsNation) — A leading education technology firm was the target of a data security breach last month, potentially exposing millions of students and teachers' sensitive data including Social Security numbers and medical information.
PowerSchool, the largest provider of cloud-based education software for K-12 education in the country, notified schools about the incident earlier this month, but the full scale of the cyberattack is still coming into view.
A new report from BleepingComputer, a cybersecurity news outlet, said the data breach impacted more than 62 million students and over 9.5 million teachers across 6,500 school districts.
Those numbers reportedly come from an extortion demand the hacker sent to the company.
A spokesperson for PowerSchool would not confirm or deny the figures in an email to NewsNation, but the company's website says it supports more than 60 million students globally.
Here's what we know about the PowerSchool data breach and what information was exposed.
What happened?
PowerSchool said it first became aware of the breach on Dec. 28 after customer data from its PowerSchool Student Information System (SIS) was stolen through its PowerSource support portal.
PowerSchool SIS is a student information system that schools and districts use to manage grades, track attendance, enrollment and other student records.
Hackers accessed the portal using compromised credentials and stole the data using an "export data manager," BleepingComputer reported.
PowerSchool reportedly paid a ransom to prevent the stolen data from being leaked privately and saw a video of the hacker claiming to delete the data.
A company spokesperson would not say whether it paid a ransom, but major districts affected by the breach said they were told all the downloaded data had been destroyed.
The company revealed the incident to its customers on Jan. 7 and said districts and schools that do not utilize PowerSchool SIS were not affected.
What information was exposed?
The stolen data primarily contains contact info like names, addresses and dates of birth. However, it could also include more sensitive info like Social Security numbers and "limited medical alert information," according to PowerSchool.
A company spokesperson told NewsNation that most individuals, more than three-quarters, did not have Social Security numbers exposed in the breach.
The type of data exposed varies by district due to different state and district policies, but there is no evidence that credit card or banking information was involved, PowerSchool said.
Some districts have revealed which data was stolen. In Lake Forest, Illinois, a pair of districts said in a public notice that the following student information had been accessed:
Student name and ID number Parent/guardian contact information Dates of enrollment and withdrawal reasons Bus stop code Physician’s name and phone number Limited medical alert information (e.g., allergies) Existence of an IEP or 504, not plan specifics or eligibility information Student school and homeroomStaff also had info like their names, most recent department and school email addresses exposed, the districts said.
In total, about 20,000 current and former students and staff records were accessed between the two districts. However, sensitive data like Social Security numbers and insurance information were not compromised.
Teachers in other parts of the country weren't so lucky.
In North Carolina, about 312,000 teachers’ Social Security numbers were exposed in the breach, according to WRAL News.
Whose data was stolen?
The company would not say how many districts and schools were involved in the breach when asked by NewsNation.
BleepingComputer reported Wednesday that the data breach impacted 62,488,628 students and 9,506,624 teachers across more than 6,500 school districts in the U.S., Canada and other countries.
PowerSchool would not confirm those numbers, but they're in line with claims on the company's website.
PowerSchool says its software is used by over 18,000 customers to support more than 60 million students around the world. According to TechCrunch, the company serves more than 75% of students in North America.
In some places, like the Memphis-Shelby School District in Tennessee, a PowerSchool account is required to enroll, according to FOX13 Memphis.
"We don't get a choice," one parent said. "If that information can be leaked out, that's serious."
Now, the school district is among the largest allegedly impacted, with more than 485,000 students and 54,000 teachers' information exposed, BleepingComputer reported.
The San Diego Unified School District, the second largest school district in California, also notified families that its student data had been caught up in the breach.
In Texas, the Dallas Independent School District published a notice earlier this month saying it was affected by the incident.
Other major districts that were impacted include Charlotte-Mecklenburg Schools and the Wake County Public School System (WCPSS) in North Carolina.
WCPSS said the potentially impacted data includes some staff's Social Security Numbers as well as their street addresses and other personal info. The school system said no student's Social Security numbers were accessed, but their names, birthdays and mailing addresses may have been.
What's being done about it?
The company doesn't believe there is an ongoing risk and said there's no evidence of malware or "continued unauthorized activity."
PowerSchool said it's still working to complete its investigation and is setting up a system to provide resources to those who may have been impacted.
Parents and guardians whose student's data was exposed will receive a notification email from PowerSchool "over the next few weeks," the company said.
PowerSchool says it will also offer 2 years of free identity protection and credit monitoring services for all impacted students and educators.
"We are committed to learning from this incident, becoming stronger and more resilient as a company for having experienced it – and most importantly – we are committed to serving our customers and our shared communities," a company spokesperson said in an email.
You can monitor updates and learn more about the incident at the public website set up by PowerSchool.
Source:
www.newsnationnow.com
English (United States) ·