This story was originally published on K-12 Dive. To receive daily news and insights, subscribe to our free daily K-12 Dive newsletter.
Since PowerSchool first publicly disclosed in January that it had fallen victim to a data breach that compromised some student and teacher data, scrutiny and investigations into the incident have escalated.
PowerSchool, which serves over 60 million students and 18,000 educational customers, told K-12 Dive last month that it discovered on Dec. 28 what it called a “potential” cybersecurity incident. A threat actor reportedly gained unauthorized access to an unknown amount of PowerSchool's student and staff data by going in through the company's PowerSource service, a customer support portal for district and school staff.
The threat actor is believed to have stolen data from two tables containing family and teacher information from PowerSchool’s Student Information System database. PowerSchool also previously told K-12 Dive that the infiltrated PowerSource system lacked multifactor authentication — a standard and encouraged practice for securing sensitive data.
Some of the breached data may include students’ and teachers’ personally identifiable information like names, addresses and Social Security numbers — as well as, in some cases, medical data.
Following reports that PowerSchool had failed to encrypt the PowerSource system, the Future of Privacy Forum, a nonprofit promoting privacy protections, on Feb. 13 dropped the company as a signatory from its Student Privacy Pledge.
FPF said the failure to use multifactor authentication specifically violates the think tank’s pledge, which in part requires ed tech companies to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of Student PII [personally identifiable information] — such as unauthorized access or use, or unintended or inappropriate disclosure — through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.”
Though PowerSchool has yet to confirm the number of students or school districts affected, multiple class action lawsuits have been filed against the software company over the breach.
More recently, some government officials in and outside of the U.S. have also started to take notice.
For instance, Canada's privacy commissioner on Feb. 11 announced an investigation regarding the breach after PowerSchool announced that schools there had been impacted.