Since PowerSchool first publicly disclosed in January that it had fallen victim to a data breach that compromised some student and teacher data, scrutiny and investigations into the incident have escalated.
PowerSchool, which serves over 60 million students and 18,000 educational customers, told K-12 Dive last month that it discovered on Dec. 28 what it called a “potential” cybersecurity incident. A threat actor reportedly gained unauthorized access to an unknown amount of PowerSchool's student and staff data by going in through the company's PowerSource service, a customer support portal for district and school staff.
The threat actor is believed to have stolen data from two tables containing family and teacher information from PowerSchool’s Student Information System database. PowerSchool also previously told K-12 Dive that the infiltrated PowerSource system lacked multifactor authentication — a standard and encouraged practice for securing sensitive data.
Some of the breached data may include students’ and teachers’ personally identifiable information like names, addresses and Social Security numbers — as well as, in some cases, medical data.
Following reports that PowerSchool had failed to encrypt the PowerSource system, the Future of Privacy Forum, a nonprofit promoting privacy protections, on Feb. 13 dropped the company as a signatory from its Student Privacy Pledge.
FPF said the failure to use multifactor authentication specifically violates the think tank’s pledge, which in part requires ed tech companies to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of Student PII [personally identifiable information] — such as unauthorized access or use, or unintended or inappropriate disclosure — through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.”
Though PowerSchool has yet to confirm the number of students or school districts affected, multiple class action lawsuits have been filed against the software company over the breach.
More recently, some government officials in and outside of the U.S. have also started to take notice.
For instance, Canada's privacy commissioner on Feb. 11 announced an investigation regarding the breach after PowerSchool announced that schools there had been impacted.
“My immediate focus is on ensuring that the company is taking the necessary steps to address the issue and protect Canadians’ personal information, notably breach containment and measures to reduce risks to those affected, as well as actions to prevent future breaches,” Canadian commissioner Phillipe Dufresne said in a statement.
Meanwhile, state-level pushback is also ramping up, as North Carolina Attorney General Jeff Jackson announced an investigation into PowerSchool on Feb. 6. Jackson said the breach could have affected up to 4 million people in his state alone.
“I’m a parent who uses PowerSchool, so I know what millions of North Carolina families are concerned about with this data breach,” Jackson said in a statement. “I’m investigating PowerSchool to determine if they broke any laws in this process, and I’ll take additional legal action if necessary. We’ll continue working to guard our state from data breaches and hold those who fail to properly protect information accountable.”
Since that announcement, at least one North Carolina school district has backed Jackson’s efforts.
On Feb. 11, the Lee County Board of Education approved a letter to Jackson asking that he consider legal action against PowerSchool over the breach. The board’s letter said the incident compromised the sensitive personal information of some of its students and staff, including some staff Social Security numbers.
“As you know, the potential consequences of this breach are very serious, including the possibility of identity theft, financial fraud, and other harms. The protection of student and staff data is of paramount importance, and the failure of PowerSchool to adequately safeguard this information is unacceptable,” the board wrote.
The letter further calls on Jackson’s office to consider how to ensure that timely breach notifications and stronger cybersecurity protections are in place to prevent future such incidents. The board also said Jackson should check if PowerSchool complied with all applicable data privacy laws, including the Family Educational Rights and Privacy Act.
Dive Awards
