PowerSchool Cyber Incident FAQ

On January 7, 2025, the edtech software provider, PowerSchool, announced a cyber incident to its customers across the U.S. The purpose of this FAQ is to provide some supplementary information about the incident directly to the K-12 community. While members of K12 SIX have benefitted from numerous ad hoc briefings and resources to date, this FAQ is being provided as a public service to the K-12 community. It is unofficial and will be updated periodically as information becomes available. (Note: While the incident also affected school systems in Canada, this FAQ is U.S.-centric.)

What happened?

Read:

• Abrams, Lawrence. “PowerSchool hack exposes student, teacher data from K-12 districts” Bleeping Computer. 7 January 2025.

• Doe, Dissent (pseudonym). “PowerSchool discloses breach affecting hosted and self-hosted school k-12 districts.” DataBeaches.net. 8 January 2025.

• Merod, Anna. “PowerSchool data breach possibly exposed student, staff data.” Cybersecurity Dive. 10 January 2025.

PowerSchool has reportedly hired the cybersecurity firm CrowdStrike to conduct a forensic analysis with additional details. PowerSchool has promised to share this report with customers later this month (i.e., January 2025).

How did it happen?

While PowerSchool has claimed a strong cybersecurity culture, it had a failure of cybersecurity controls and was victimized by an as-of-yet unnamed malicious threat actor.

What should PowerSchool SIS customers do?

Read:

• Vesco, Brandi. “How Districts Can Face Fallout from PowerSchool SIS Breach.” Government Technology. 10 January 2025.

• Lazzarotti, Joseph L. “FAQs for Schools and Persons Affected By the PowerSchool Data Breach.” JacksonLewis. 11 January 2025.

Affected customers saw both student and teacher tables exfiltrated. Self-hosted customers should be prepared to install forthcoming security patches. All customers should review logs (customer-developed, unofficial guidance) and make notifications to school community members and state officials, as appropriate. Post-incident it is vital that school systems re-evaluate their third-party cyber risk management practices, pre- and post-procurement, as well as consider establishing or re-evaluating data minimization practices. (Both of these practices are among those that K12 SIX recommends.) Finally, current and former school community members should be on guard for potential phishing/social engineering attempts using this incident as pretext.

What should customers of other PowerSchool products do?

Based on available information, there is no reason to believe that any other PowerSchool product was impacted as part of this incident. Going forward, it is vital that school systems re-evaluate their third-party cyber risk management practices, pre- and post-procurement, for all vendors.

What should current and former school staff, parents, and students do?

Read:

• Zimmermann, Ale. “How to protect your child's identity amid PowerSchool data breach.” NBC Boston. 9 January 2025.

• Doe, Dissent (pseudonym). “PowerSchool Incident: A few resources for teachers, parents, and former students“. DataBreaches.net. 10 January 2025.

Current and former school community members should be on guard for potential phishing/social engineering attempts using this incident as pretext.

Select TV news reports:

For further reading: