What PowerSchool won't say about its data breach affecting millions of students

https://techcrunch.com/2025/03/10/what-powerschool-isnt-saying-about-its-massive-student-data-breach/

lowlights

We’re only a few months into 2025, but the recent hack of U.S. edtech giant PowerSchool is on track to be one of the biggest education data breaches in recent years.

PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students across North America, first disclosed the data breach in early January 2025.

The California-based company, which Bain Capital acquired for $5.6 billion, said an unknown hacker used a single compromised credential to breach its customer support portal in December 2024, allowing further access to the company’s school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment.

They paid a ransom, but there's no evidence that the stolen data has been deleted.

In a communication shared with customers in January, seen by TechCrunch, PowerSchool said the hacker stole “sensitive personal information” on students and teachers, including students’ grades, attendance, and demographics. The company’s incident page also states that stolen data may have included Social Security numbers and medical data, but says that “due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base.”

---
It appears that it's not a question of WHETHER a company or organization will be hacked, but WHEN, and other than data backups (and we are talking 18,000 separate sites with IT admins) there seems to be no design for resilience, and IMO, this business of stealing credentials is beyond lame site management. A SINGLE compromised credential.

Cross-posted in Computer Help.