Folsom-based PowerSchool data breach exposes info of local students, schools nationwide
A Sacramento-area school district notified school staff and families of its nearly 21,000 students Thursday that their information was exposed in a data breach.
The staff and students at the Folsom Cordova Unified School District represent a fraction of the millions of people whose information could have been made vulnerable by the breach affecting PowerSchool, a K-12 software company that provides educational software worldwide but is headquartered within the district’s boundaries.
Folsom Cordova Unified spokesperson Angela Griffin wrote in an email to the parents and staff that the breach has been contained and that the vendor is working to prevent any of the compromised data from being used or shared.
“District staff is in constant communication with PowerSchool regarding this incident and we will keep our FCUSD community informed of future updates,” she wrote. “This breach is on PowerSchool’s end and has not affected any of our other systems in the District. We take matters of cybersecurity very seriously and have multiple preventative and proactive measures and procedures in place.”
How PowerSchool was hacked
The school tech giant was made aware of the breach late last month and notified affected customers Tuesday.
“We are reaching out to make you aware that on December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource,” reads the notification sent to customers.
The threat actor used a compromised credential to access and export databases of information from students and teachers, according to a PowerSchool spokesperson, though the company has not explicitly stated what information was accessed.
In a FAQ accessible to affected customers, PowerSchool confirmed that it worked with CyberSteward, a Canadian organization that offers so-called cyber-extortion incident response services, to negotiate with the threat actors responsible for the breach, and that the company paid hackers to prevent them from publishing the stolen data.
“The incident is contained and we do not anticipate the data being shared or made public,” a PowerSchool spokesperson said.
Such exploits and hacks have become increasingly common for school districts across the U.S., according to federal education officials. One security consultancy said between 2016 and 2022, more than 1,600 incidents were announced by districts, including attacks like ransomware and denial-of-service, in which a server is flooded with requests to the point of failure. Another firm, Emsisoft, said nearly 200 attacks affected U.S. K-12 schools and colleges in 2023.
“Educational institutions can be a lucrative and vulnerable target for malicious cyber actors because they maintain sensitive student and staff data and personal information, utilize multiple forms of technologies to facilitate learning, and often lack resources to put in place comprehensive cybersecurity programs,” according to a federal task force of agencies that provides safety guidance to schools.
PowerSchool, which was acquired by Bain Capital in a deal worth $5.6 billion in June, employs 3,000 workers around the world, including 500 in Folsom. It offers a range of cloud-based services to 18,000 schools with access to 60 million students across 90 countries. Only customers of its student information system, which is used to manage student records, grades, attendance and enrollment were affected.
Other districts in the area, like Sacramento City Unified and San Juan Unified school districts, use PowerSchool for ancillary online services, such as forms processing, but were not affected by the breach.
According to PowerSchool, the company’s cloud-based software is used by more than 55 million students and 17,000 educational customers in more than 90 countries.
