Children's data hacked after school software firm missed basic security step, internal report says

The hack of a company that helps schools track tens of millions of students appears to be the largest breach of American children's personal information to date, school officials and cybersecurity experts say.
And a specially commissioned interim cybersecurity audit by cybersecurity company CrowdStrike showed that the company had apparently failed to take basic precautions to protect students' data, according to a copy exclusively obtained by NBC News and records of internal discussions.
The company, PowerSchool, is best known for its Student Information System (SIS), one of the most widely used education tech programs in the U.S., and one of the breached systems. The SIS software helps school districts keep track of K-12 students, collecting information like their name, school, birthday, address and parent or guardian. Many districts go further and add information like their Social Security number, health concerns or disciplinary records.
Theft of children's data is regarded as particularly egregious, as they usually have no agency in how it's protected. It can be difficult to draw a direct line from a particular data breach to a given instance of identity theft, as cybercriminals repeatedly repackage and resell victims' information. But identity theft cost Americans around $43 billion in 2023, according to a 2024 study by AARP.
'We recognize the significance of this incident and are deeply regretful that it occurred,' Beth Keebler, a PowerSchool spokesperson, said in an emailed statement. 'PowerSchool has significantly invested in its cybersecurity program, culture, and talent over the years — this has been a diligent and continuous area of focus and one the Company plans to continue to invest in.'
Cybercriminals who steal sensitive data often threaten to publish it if they're not paid a ransom. PowerSchool declined to comment to NBC News about any extortion demand or payment. But in a private virtual briefing with customers, the company's chief information officer, Mishka McCowan, said the company had paid the hacker and received a video of them appearing to delete the stolen data, a person who attended the call told NBC News.
Cybersecurity experts caution that cybercriminals can backtrack on promises not to release data, and it's impossible to verify that the hacker didn't make backup copies.
In December, a hacker gained what appears to be full access to the SIS information of those schools that had used customer support. While not the entirety of PowerSchool's customer base, the breach appeared to expose the data of tens of millions of American children. While exact numbers are still unclear, the hacker has claimed the figure to be 62 million. That figure was first reported by the tech news site Bleeping Computer.
As of Thursday, the breached data did not appear to be publicly available online.
Private assessments of the hack show the company failed to take basic steps to protect students' data. PowerSchool hired the cybersecurity firm CrowdStrike to help investigate the breach. An interim report prepared by CrowdStrike and disseminated to some school officials, the contents of which had not previously been public and which was acquired by NBC News, found no evidence that the hackers used malware or found a backdoor into PowerSchool's systems. Instead, the hacker simply obtained a single employee's password. That granted access to a 'Maintenance Access' function that let them download millions of children's personal information.
According to the CrowdStrike report, the company was not even aware that it had been the victim of such a massive hack until late December, several days after it happened, when the hacker contacted the company to inform it and ask for a payment.
CrowdStrike declined to comment, in line with industry practice.
In a private online chat that included company executives and school representatives, an executive admitted that the hackers were able to access and download the student records by logging into one account that didn't have two-factor authentication enabled, one of the most basic cybersecurity standards for any account, particularly one that has access to sensitive information. One participant, who requested not to be named, took a screenshot of the chat and shared it with NBC News.
Bill Fitzgerald, an independent security consultant for schools, said that was an example of poor security, though not uncommon in the EdTech industry.
'If you're not enforcing multifactor authentication, that's just not best practice,' Fitzgerald told NBC News. 'But this happens all the time.'
Doug Levin, the national director of K12 SIX, an industry nonprofit devoted to helping schools guard themselves from hackers, blamed lax cybersecurity standards across what's referred to as EdTech, the industry of education-focused technology that schools increasingly rely on, especially since the Covid-19 pandemic. Levin told NBC News that the hack and the lack of safeguards were both extreme but still emblematic of the industry.
'For a sector so integral to the American way of life, it is unconscionable that neither K-12 schools — nor their vendors — are held to a cybersecurity standard of practice,' he said, referencing cybersecurity issues that plague the sector. 'This incident is unique both for its scope and the sensitivity of the data.'
PowerSchool declined to share specifics on how many students were affected by the hack, citing its ongoing investigation, but a spokesperson said the company was confident the number of students whose Social Security numbers were compromised was less than 25% — a figure that could still reach into the tens of millions.
Terry Loftus, the chief information officer for the San Diego County Office of Education, where seven districts are PowerSchool customers, told NBC News he was particularly concerned about hackers accessing additional student information that some school districts include in SIS.
'We may be talking about disabilities and what supports are being put in place for special education students,' Loftus said. 'This is massively sensitive, and something that's of high value to threat actors, as far as reselling to various nefarious groups or data brokers.'
'As it stands right now or as it appears, unless we hear otherwise, this will likely ultimately be the largest breach of K-12 students,' he told NBC News.
In some cases, former students' information was also in the PowerSchool program and their personal information was stolen as well, the company said in a press release.
There is no formal public accounting of PowerSchool's reach, but it has statewide contracts with Alabama, North Carolina and South Carolina, though use of the SIS software can vary within a state. Other states where schools have warned students and parents about the PowerSchool breach include Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Indiana, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah, Wisconsin and Wyoming.
Georgia broadcaster 11Alive has estimated from the state's Department of Education figures that more than 230,000 current students in the state may have been affected.
In some cases, school districts have warned that the hackers stole remarkably specific information. Utah Schools for the Deaf and the Blind announced that the hackers gained access to not just students' names, birthdays and grades, but also their locker numbers and combinations and the balances in their lunch accounts.
Sarah Powazek, the director of the University of California, Berkeley's public interest cybersecurity program, which offers cybersecurity help to schools and other civic organizations that may not be able to afford it, said schools are in the unfortunate position of trusting companies like PowerSchool to protect their students' private information.
'School districts really have no control over this product, and it's not up to them whether or not PowerSchool itself is implementing the correct security procedures within their own organization. The schools are very much at the mercy of these educational technology products,' Powazek told NBC News.
Publicly, PowerSchool has said it takes pains to ensure high cybersecurity standards. In 2023, CEO Hardeep Gulati joined then-first lady Jill Biden at a White House event promoting EdTech cybersecurity. The company's website says it takes a litany of steps to protect kids' and teachers' data, including routine security audits and 'Extensive and ongoing security/cybersecurity training for all our employees.'
PowerSchool is a signatory to another pledge, created by the nonprofit Future of Privacy Forum, in which it promises to take a series of basic steps to protect students' information. A spokesperson for the Future of Privacy Forum told NBC News that PowerSchool's status as a signatory is currently under review for 'potential violations of the company's Student Privacy Pledge commitments.'
This article was originally published on NBCNews.com

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

UPI

23 minutes ago

• UPI

Britain, U.S. warn Iran against Strait of Hormuz blockade

U.S. Secretary of State Marco Rubio (R) and Britain's Foreign Secretary David Lammy (L) at a meeting at NATO Headquarters in Brussels in April. File Photo by NATO/UPI | License Photo June 23 (UPI) -- Britain cautioned Iran Monday that attempts to block the Strait of Hormuz or to strike at American military facilities in the Middle East could lead to escalation, even as Israel continued its strikes on Iran. British Foreign Secretary David Lammy said Monday that such actions would be a "catastrophic mistake." "It would be a huge, catastrophic mistake to fire at U.S. bases in the region at this time. We have forces in the region at this time," said Lammy in an interview with BBC Breakfast. The Iranian parliament moved Sunday to approve a measure to close the Strait in response to the American strikes on Iran over the weekend. The strait serves as a critical route for oil being shipped from Persian Gulf countries, but ultimately it will come down to whether Iran's Supreme Leader Ayatollah Ali Khamenei decides to move forward with such a plan. Close to 30% of the world's seaborne oil shipments are moved through the strait. U.S. Secretary of State Marco Rubio also commented Sunday against Iranian interference with movement through the strait. He spoke with Fox News and called on China to prevent Iran from closing the Strait of Hormuz. "I encourage the Chinese government in Beijing to call them about that, because they heavily depend on the Straits of Hormuz for their oil," said Rubio, as China is a key oil customer of Iran. "The Persian Gulf and nearby waters are important route for international trade in goods and energy. Keeping the region safe and stable serves the common interests of the international community," Chinese Foreign Ministry Spokesperson Guo Jiakun said in a press conference Monday. "China calls on the international community to step up effort to promote de-escalation of the conflict and prevent the regional turmoil from having a greater impact on global economic growth." Meanwhile, Israel Defense Forces announced Monday on social media that it "struck routes in order to obstruct access" to the Fordow nuclear enrichment site in Iran's Qom province. The IDF also proclaimed it attacked six Iranian airports "across western, central, and eastern Iran, destroying runways, underground hangars, refueling aircraft, F-14, F-5 and AH-1 aircraft." It further alleged the strikes "impaired takeoff capabilities from these airports, as well as the Iranian military's ability to operate its air force from them."

27 minutes ago

Support for solar energy, offshore wind falls among Democrats and independents: poll

Americans' support for green energy tax credits and renewable energies like wind and solar power has decreased in recent years, according to a new poll, driven by a softening in support from Democrats and independents. The poll from The Associated Press-NORC Center for Public Affairs Research finds that U.S. adults' support for tax credits for electric vehicles and solar panels has weakened, as well as their enthusiasm for offshore wind farm expansion. While Democrats remain the strongest supporters of these initiatives, the poll reveals signs of growing cynicism within their ranks. The poll results coincide with sweeping changes President Donald Trump's Republican administration is making to regulations related to energy and climate change, including slashing the federal workforce in these departments. And although Democrats and independents have weakened their support for some green energy initiatives, there has not been an increase in support for Trump's energy policies. The poll found only about 4 in 10 U.S. adults — including only 1 in 10 Democrats and about 2 in 10 independents, along with three-quarters of Republicans — approve of the way Trump is handling climate change, which largely tracks with his overall approval rating. About 6 in 10 Democrats, 58%, favor tax credits for purchasing an electric vehicle, down from about 7 in 10 in 2022. Among independents, support declined from 49% in 2022 to 28%. Only one-quarter of Republicans supported this policy in 2022, and that hasn't changed measurably. 'As far as the pollution goes ... the vehicles nowadays put out very little emissions to the air,' said JD Johnson, a 62-year-old Democrat from Meadowview, Virginia, who somewhat opposes tax credits to purchase an electric vehicle. That's partly because he sees the electric vehicle manufacturing process as energy intensive and believes gasoline-powered vehicles have made improvements with the pollutants they emit. The decline in favoring solar panel tax credits was across the board rather than being concentrated among Democrats. 'For solar panels, in all honesty, I don't think they're that efficient yet,' said Glenn Savage, 78, a left-leaning independent from Rock Hill, South Carolina. 'I'd rather see them pour money into research and try to get the solar panels more efficient before they start giving tax breaks to the public. I may be wrong on that, but that's just my thought.' Scientists say transitioning to renewable energies and ditching fossil fuels that release planet-warming emissions are essential to protect the planet. Billions of dollars in project grants for clean technologies awarded during President Joe Biden's Democratic administration have been canceled by the Trump administration, and the offshore wind sector has been stunted by Trump's executive order that paused approvals, permits and loans for wind energy projects. Fewer than half of U.S. adults, 44%, now say that offshore wind farms should be expanded in the U.S., down from 59% in 2022. About half favor expanding solar panel farms, while about two-thirds were in support in 2022. When people are concerned about the economy and their personal finances, environmental issues are sometimes prioritized less, said Talbot Andrews, an assistant professor in the department of government at Cornell University who was not involved in the poll. 'I think it makes people anxious to think about increased taxes or increased spending on environmental issues when the cost of eggs are going through the roof,' Andrews said. Trump has championed the expansion of offshore oil drilling, as well as domestic coal production. Despite a decline in support for expanded renewable energies, the new poll shows that only about one-third of U.S. adults think offshore drilling for oil and natural gas should be expanded in the U.S., and only about one-quarter say this about coal mining. In both cases, Republicans are much more likely than Democrats to support expanding these energy sources. Trump has sought to open up national monuments for oil drilling, but more U.S. adults oppose than support auctioning off more public space for oil drilling. Only about one-quarter of U.S. adults favor this, while 4 in 10 are opposed. Republicans are much more likely than independents or Democrats to be in support. The Energy Star program that certifies appliances, such as dishwashers and refrigerators, as energy efficient recently appeared in headlines when the EPA made plans to scrap the program. The blue and white logo is well recognized, and experts say the program has long had bipartisan support until recently. The poll found three-quarters of Democrats support providing consumer rebates for efficient home appliances, compared with 6 in 10 Republicans. Patrick Buck, 54, from Chicago, describes himself as a liberal Republican and is a fan of the consumer rebates for energy-efficient appliances. 'It seems to work in terms of transforming what people have in their houses, because a lot of people have a lot of old appliances and just can't afford new ones,' he said. The poll found only about 2 in 10 U.S. adults are 'extremely' or 'very' confident in the federal government's ability to ensure the safety of their drinking water, the air they breathe and the meat, poultry, fruits and vegetables they buy in grocery stores. About 4 in 10 U.S. adults are 'somewhat' confident in the federal government's ability to ensure the safety of each of these, and about 4 in 10 are 'not very' or 'not at all' confident. The Trump administration has announced plans to roll back rules and policies related to limiting pollution and greenhouse gas emissions, such as rules that limit pollution from power plants and blocking California's efforts to phase out cars that run on gas. The federal government has also cut staff at the Food and Drug Administration, the federal agency tasked with protecting public health and ensuring food supply safety. ___ The AP-NORC poll of 1,158 adults was conducted June 5-9, using a sample drawn from NORC's probability-based AmeriSpeak Panel, which is designed to be representative of the U.S. population. The margin of sampling error for adults overall is plus or minus 4 percentage points. ___ The Associated Press' climate and environmental coverage receives financial support from multiple private foundations. The AP is solely responsible for all content. Find the AP's standards for working with philanthropies, a list of supporters and funded coverage areas at

CNBC

30 minutes ago

• CNBC

Here's the salary Americans say they now need to earn to live comfortably

With higher prices now firmly entrenched, and President Donald Trump's tariffs fueling inflationary concerns, most Americans say they need an income boost to get by, according to a new report. Nearly half, or 45%, of all adults said they would need to make $100,000 or more a year to feel financially secure, Bankrate's financial freedom survey found. Roughly one-quarter, or 26%, said they need to make $150,000 or more. Fewer — 16% — put the bar at over $200,000. By comparison, the median household income in 2023 was a little over $80,000, according to the latest U.S. Census Bureau estimates. Altogether, the share of Americans who said they do not feel completely financially comfortable rose to 77% in 2025, up from 75% in 2024 and 72% in 2023, according to Bankrate's survey, which polled more than 2,200 in May. Here's a look at other stories affecting the financial advisor business. While Americans might have different definitions of what living comfortably entails, being in "a financial sweet spot," often means "you are able to cover your bills and everyday essentials but also have money left over for eating out and vacations," said Bankrate's economic analyst Sarah Foster. However, the recent period of high inflation and economic uncertainty has chipped away at most consumers' buying power, according to Carolyn McClanahan, a certified financial planner and founder of Life Planning Partners in Jacksonville, Florida. "One major issue is that wages have been stagnant for a large majority of the population over that time, and prices continue to rise," said McClanahan, who also is a member of CNBC's Advisor Council. "Add that to the backdrop of political instability everyone is feeling, and I think that is a perfect formula for people not feeling financially secure." Further, households are also facing surging child-care expenses, ballooning auto loans, high mortgage rates and record rents along with the resumption of student loan payments. But a deterioration of the American dream has been decades in the making, according to Bankrate's Foster. "It starts long before the pandemic," she said. "There has long been this perception that we used to be in this golden age where you could own a home, a car, and get by on a single income — that is a bygone era." A separate survey by Edelman Financial Engines from 2024 had similar findings: 58% of adults said they would need to earn $100,000 on average to not worry about everyday living expenses, and one-quarter said they would need to earn more than $200,000 to feel financially secure. In most cases, feeling financially secure is not based on how much you earn, but rather a commitment to save more than you spend and maintain a well-diversified portfolio, experts often say.