Children's data hacked after school software firm missed basic security step, internal report says
The hack of a company that helps schools track tens of millions of students appears to be the largest breach of American children's personal information to date, school officials and cybersecurity experts say.
And a specially commissioned interim cybersecurity audit by cybersecurity company CrowdStrike showed that the company had apparently failed to take basic precautions to protect students' data, according to a copy exclusively obtained by NBC News and records of internal discussions.
The company, PowerSchool, is best known for its Student Information System (SIS), one of the most widely used education tech programs in the U.S., and one of the breached systems. The SIS software helps school districts keep track of K-12 students, collecting information like their name, school, birthday, address and parent or guardian. Many districts go further and add information like their Social Security number, health concerns or disciplinary records.
Theft of children's data is regarded as particularly egregious, as they usually have no agency in how it's protected. It can be difficult to draw a direct line from a particular data breach to a given instance of identity theft, as cybercriminals repeatedly repackage and resell victims' information. But identity theft cost Americans around $43 billion in 2023, according to a 2024 study by AARP.
'We recognize the significance of this incident and are deeply regretful that it occurred,' Beth Keebler, a PowerSchool spokesperson, said in an emailed statement. 'PowerSchool has significantly invested in its cybersecurity program, culture, and talent over the years — this has been a diligent and continuous area of focus and one the Company plans to continue to invest in.'
Cybercriminals who steal sensitive data often threaten to publish it if they're not paid a ransom. PowerSchool declined to comment to NBC News about any extortion demand or payment. But in a private virtual briefing with customers, the company's chief information officer, Mishka McCowan, said the company had paid the hacker and received a video of them appearing to delete the stolen data, a person who attended the call told NBC News.
Cybersecurity experts caution that cybercriminals can backtrack on promises not to release data, and it's impossible to verify that the hacker didn't make backup copies.
In December, a hacker gained what appears to be full access to the SIS information of those schools that had used customer support. While not the entirety of PowerSchool's customer base, the breach appeared to expose the data of tens of millions of American children. While exact numbers are still unclear, the hacker has claimed the figure to be 62 million. That figure was first reported by the tech news site Bleeping Computer.
As of Thursday, the breached data did not appear to be publicly available online.
Private assessments of the hack show the company failed to take basic steps to protect students' data. PowerSchool hired the cybersecurity firm CrowdStrike to help investigate the breach. An interim report prepared by CrowdStrike and disseminated to some school officials, the contents of which had not previously been public and which was acquired by NBC News, found no evidence that the hackers used malware or found a backdoor into PowerSchool's systems. Instead, the hacker simply obtained a single employee's password. That granted access to a 'Maintenance Access' function that let them download millions of children's personal information.
According to the CrowdStrike report, the company was not even aware that it had been the victim of such a massive hack until late December, several days after it happened, when the hacker contacted the company to inform it and ask for a payment.
CrowdStrike declined to comment, in line with industry practice.
In a private online chat that included company executives and school representatives, an executive admitted that the hackers were able to access and download the student records by logging into one account that didn't have two-factor authentication enabled, one of the most basic cybersecurity standards for any account, particularly one that has access to sensitive information. One participant, who requested not to be named, took a screenshot of the chat and shared it with NBC News.
Bill Fitzgerald, an independent security consultant for schools, said that was an example of poor security, though not uncommon in the EdTech industry.
'If you're not enforcing multifactor authentication, that's just not best practice,' Fitzgerald told NBC News. 'But this happens all the time.'
Doug Levin, the national director of K12 SIX, an industry nonprofit devoted to helping schools guard themselves from hackers, blamed lax cybersecurity standards across what's referred to as EdTech, the industry of education-focused technology that schools increasingly rely on, especially since the Covid-19 pandemic. Levin told NBC News that the hack and the lack of safeguards were both extreme but still emblematic of the industry.
'For a sector so integral to the American way of life, it is unconscionable that neither K-12 schools — nor their vendors — are held to a cybersecurity standard of practice,' he said, referencing cybersecurity issues that plague the sector. 'This incident is unique both for its scope and the sensitivity of the data.'
PowerSchool declined to share specifics on how many students were affected by the hack, citing its ongoing investigation, but a spokesperson said the company was confident the number of students whose Social Security numbers were compromised was less than 25% — a figure that could still reach into the tens of millions.
Terry Loftus, the chief information officer for the San Diego County Office of Education, where seven districts are PowerSchool customers, told NBC News he was particularly concerned about hackers accessing additional student information that some school districts include in SIS.
'We may be talking about disabilities and what supports are being put in place for special education students,' Loftus said. 'This is massively sensitive, and something that's of high value to threat actors, as far as reselling to various nefarious groups or data brokers.'
'As it stands right now or as it appears, unless we hear otherwise, this will likely ultimately be the largest breach of K-12 students,' he told NBC News.
In some cases, former students' information was also in the PowerSchool program and their personal information was stolen as well, the company said in a press release.
There is no formal public accounting of PowerSchool's reach, but it has statewide contracts with Alabama, North Carolina and South Carolina, though use of the SIS software can vary within a state. Other states where schools have warned students and parents about the PowerSchool breach include Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Indiana, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah, Wisconsin and Wyoming.
Georgia broadcaster 11Alive has estimated from the state's Department of Education figures that more than 230,000 current students in the state may have been affected.
In some cases, school districts have warned that the hackers stole remarkably specific information. Utah Schools for the Deaf and the Blind announced that the hackers gained access to not just students' names, birthdays and grades, but also their locker numbers and combinations and the balances in their lunch accounts.
Sarah Powazek, the director of the University of California, Berkeley's public interest cybersecurity program, which offers cybersecurity help to schools and other civic organizations that may not be able to afford it, said schools are in the unfortunate position of trusting companies like PowerSchool to protect their students' private information.
'School districts really have no control over this product, and it's not up to them whether or not PowerSchool itself is implementing the correct security procedures within their own organization. The schools are very much at the mercy of these educational technology products,' Powazek told NBC News.
Publicly, PowerSchool has said it takes pains to ensure high cybersecurity standards. In 2023, CEO Hardeep Gulati joined then-first lady Jill Biden at a White House event promoting EdTech cybersecurity. The company's website says it takes a litany of steps to protect kids' and teachers' data, including routine security audits and 'Extensive and ongoing security/cybersecurity training for all our employees.'
PowerSchool is a signatory to another pledge, created by the nonprofit Future of Privacy Forum, in which it promises to take a series of basic steps to protect students' information. A spokesperson for the Future of Privacy Forum told NBC News that PowerSchool's status as a signatory is currently under review for 'potential violations of the company's Student Privacy Pledge commitments.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Finextra
42 minutes ago
- Finextra
Retailers Accepting Crypto Payments – With Instant Settlement in Cash: By Shane Rodgers
Cryptocurrency payments are gaining interest in the retail world, from luxury watches to fast food. As consumers express interest in paying with digital assets, businesses see a means of gaining a larger customer base. With a new generation of crypto payment solutions now available, businesses can accept crypto seamlessly, converting it instantly to their local currency. The merchants never touch the crypto, so there is no need to worry about crypto volatility, wallets to manage, or compliance headaches. A Shift in Retail Payments Consumer desire to use crypto at checkout is growing fast. The numbers back it up: 65 million Americans now own crypto, and according to Capital One, 80% would like to use it for everyday purchases. These consumers may be shopping for luxury items, but they also want to pay for groceries, plane tickets, and even fast food with digital currency. What's more, crypto users typically spend twice as much as those using traditional cards. Retailers are responding. In the United States alone, over 6,000 merchants already accept Bitcoin payments, and a Deloitte survey reveals that 85% of retailers see crypto as a tool to engage new audiences. Early Adoption Across Sectors The pay by crypto option isn't just theoretical — businesses are already seeing the impact. PDX Beam has been piloting its payment gateway with dozens of merchants across diverse industries, from diamond sellers to luxury car dealerships. By offering crypto-based payment these businesses are accessing a new demographic of spenders. One international fast-food chain is launching a crypto payment pilot in ten Miami-Dade locations, part of its expansive U.S. presence of 6,800 outlets. These tests could soon bring crypto payments to the mainstream of fast-food transactions. Beyond individual retailers, major retail payment players behind the scenes are getting involved. A $7.5 billion financial institution has signed a deal to process crypto payments, while a private equity group is using PDX Beam to enable crypto transactions for its portfolio of retailers. Eliminating Crypto Exposure for Merchants For most merchants, the biggest worry is dealing with crypto's price swings and the operational headaches of managing digital assets. PDX Beam's modern crypto-to-cash gateway eliminates that concern entirely. When a customer pays in crypto, the system instantly converts it to local currency and deposits the funds directly into the merchant's account — usually within seconds. Retailers don't touch the crypto themselves, meaning there's no exposure to volatility and no need to maintain separate crypto accounts. Plus, because these payments settle on blockchain rails, they help reduce the risk of chargeback fraud, offering merchants an extra layer of security. Lower Fees and Instant Settlement Another major benefit is the fees associated with crypto payments. While traditional card payments come with fees that can reach 3-4% for standard transactions and up to 7% in high-risk sectors (including cannabis stores), crypto payments bypass these intermediaries, lowering transaction costs to less than half Visa/MC charges. Settlement speeds are another major advantage. Credit card transactions can take days to clear, but crypto payments through these new gateways settle in real time or the same day — helping retailers improve cash flow. Positioning for the Future The shift toward crypto payments isn't slowing down. Big banks like JP Morgan and Goldman Sachs are launching crypto products, and the U.S. government is laying the groundwork for regulations that will support the growing digital asset economy. Worldpay forecasts that crypto spending worldwide will more than double by 2030, from $16 billion to $38 billion. For retailers, the takeaway is clear: crypto payments aren't a passing trend. Consumers want to use it, and with modern gateways eliminating risk and complexity, merchants can meet this demand safely and efficiently. By enabling crypto transactions without ever directly handling digital assets, retailers can meet the needs of this new generation of shoppers who are living increasingly digital-first lives.
Daily Mirror
an hour ago
- Daily Mirror
US tourist 'hit accelerator rather than brake in fatal crash' near UK landmark
A court heard US tourist Cathy Stewart, 67, hit a woman who was sitting on a bench near the Giant's Causeway in Northern Ireland with her vehicle - the woman later died An American tourist involved in a fatal crash near the Giant's Causeway in Northern Ireland hit the accelerator rather than the brake, a court heard today. US resident Cathy Stewart, 67, appeared at Coleraine Magistrates' court charged with causing death by careless driving. A police officer told the court the collision, involving a grey Ford Transit vehicle, happened at the front of the Causeway Hotel in Bushmills at around 12.15pm on Wednesday. The officer said a pedestrian who was sitting on a bench was hit during the crash. The Helicopter Emergency Medical Service (HEMS) and Ambulance Service personnel rushed to the scene of the collision. The pedestrian was taken to Causeway Hospital in Coleraine but sadly died of her injuries. In court, the police officer said footage obtained from the hotel showed the vehicle being "parked in a disabled parking bay" before passengers departed, Belfast Live reports. The court heard that the footage shows the vehicle "move forward slowly" before it "suddenly bolts forward". The deceased's brother, who was also sitting on the bench, managed to "jump out of the way" of the moving car, the court heard. The officer said Ms Stewart, who was cautioned at the scene, "gave an account consistent with the CCTV." The driver told police she had "tried to apply the foot brake and hit the accelerator" and she "appeared remorseful" during interview, the officer said. The defendant said she had "never driven an electric or hybrid vehicle before" and had mistakenly believed the vehicle was "off". The court was told the defendant said she had got back in to the car and was "feeling for the brake to stop the vehicle". A defence solicitor described the collision as a "tragic, tragic case" where a "simple error" has had "catastrophic consequences." The solicitor read a portion of the defendant's interview with police, where Stewart had described herself as "just devastated". The solicitor told the court the defendant had said she "can't get that family out of my head" and that her "only thoughts are with that family". The court heard the defendant had worked for decades as a special needs teacher, had no criminal record, and had never been involved in an at-fault collision before. Bail was granted with a £5,000 cash surety with the judge describing it as "entirely disproportionate" to keep the defendant in custody or away from her home in the United States during what he said is expected to be a lengthy judicial process. The case was listed again for July 1.
NBC News
2 hours ago
- NBC News
How Israel's Iran strikes might open 'Pandora's box' for the region — and the U.S.
If Iran did decide to retaliate against American interests, that would likely mean some form of 'major creep' into Iraq or the Gulf, Geranmayeh, at the European Council on Foreign Relations, told NBC News. And that's less likely, according to her and other analysts, because of the rapprochement between Tehran and previous foes such as Saudi Arabia and Qatar in recent years. Despite Israel's overwhelming military superiority, Netanyahu could be in a tricky spot, as he does not have the capabilities to eliminate Iran's nuclear facilities alone, according to Dina Esfandiary, the Middle East geoeconomics lead for Bloomberg Economics, Bloomberg's internal research division. With its U.S.-funded armed forces, Israel 'can do considerable damage' she said. 'But it can't be successful' in its stated objective of 'crippling Iran's nuclear program' without 'the U.S. coming on board,' Esfandiary said. Principally, it doesn't have the means to target the deeply buried underground facilities of Iran's nuclear program, experts say. In short, as Rouzbeh Parsi, director of the Middle East program at the Swedish Institute of International Affairs, put it on X: 'Israel has always been capable of starting this war. But it has been equally clear that it cannot finish it on its own.'
