Months into 2025, the massive cyberattack on edtech giant PowerSchool stands as one of the most significant education data breaches in recent history. The incident, which compromised systems serving over 60 million students across 18,000 North American schools, remains shrouded in corporate opacity despite the company’s public postmortem report.
The Scope of the Breach
PowerSchool, acquired by Bain Capital for $5.6 billion, first disclosed that an unauthorized actor utilized a single compromised credential in December 2024 to infiltrate its customer support portal. This entry point granted the attacker access to the company’s core SIS (Student Information System), which houses sensitive records, attendance, and enrollment data.
While the company admitted that the breached portal lacked multi-factor authentication at the time, they have consistently refused to quantify the number of affected individuals. Reports from Bleeping Computer suggest the haul includes data on 62 million students and 9.5 million teachers, a figure PowerSchool refuses to verify.
Data Exposure and Uncertainties
The exact nature of the stolen information remains unclear. Although the company acknowledges potential exposure of Social Security numbers and medical data, they claim the impact varies by customer. Affected school districts, however, report that highly sensitive historical files—including restraining orders and parental access rights—may have been compromised.
PowerSchool has provided schools with a “SIS Self Service” tool to assess potential data loss, but the company has simultaneously warned that this tool may not accurately reflect the actual volume of exfiltrated data.
Ransom Payments and Forensic Gaps
PowerSchool’s admission that it engaged a cyber-extortion firm to negotiate with the threat actors strongly implies a ransom payment was made. Despite this, the company refuses to disclose the financial terms or the amount demanded by the hackers. Furthermore, PowerSchool claims it “believes” the data has been deleted, yet they have provided no verifiable evidence to support this assertion, leaving experts skeptical.
CrowdStrike Report: Underwhelming Findings
The forensic report prepared by CrowdStrike, released in March, confirmed that attackers had access to PowerSchool’s systems as early as August 2024. However, the report failed to identify the root cause of how the credentials were initially acquired.
Industry experts, including Mark Racine of RootED Solutions, have characterized the findings as “underwhelming,” noting that the report lacks sufficient detail to explain systemic failures. The lack of adequate logs means even the forensic investigators cannot definitively confirm whether the August and December intrusions were the work of the same threat actor, leaving school districts to navigate the aftermath with incomplete information.
Lingering Questions
As PowerSchool continues to direct inquiries to its official incident page, the lack of transparency remains a flashpoint for affected institutions. With state regulators, such as those in Texas and Maine, still processing filings, the full extent of the breach may take years to emerge.