School districts in the US and Canada say hackers stole all their historical data from a compromised PowerSchool service in a data breach that appears to impact millions of students and educators.

PowerSchool, which provides education software and services to more than 16,000 K12 schools and school districts in the US, Canada, and tens of other countries worldwide, informed its customers on January 7 that hackers stole their information from the PowerSchool Student Information System (SIS) service.

The attackers accessed the SIS service through the PowerSource customer support portal, stealing the names, contact information, dates of birth, medical information, Social Security numbers, and other information of both students and educators, PowerSchool said in an incident notice.

While details on how the incident occurred were not shared publicly, PowerSchool previously told its customers that ‘a compromised credential’ was used to access PowerSchool SIS.

“This credential, which was tied to a maintenance account, gave the threat actor(s) broad and deep access to many PowerSchool customers’ data,” the Menlo Park City School District (MPCSD) said in an incident notice.

PowerSchool engaged with Canadian firm CyberSteward to negotiate with the attackers and ensure that the stolen data is not shared publicly, suggesting that “PowerSchool paid the ransom and received reasonable assurances that the data was deleted,” MPCSD said.

The school district revealed that the attackers stole the information of all individuals enrolled or working with MPCSD since 2009, and that the compromised information also includes parent/guardian/emergency contact names, ID numbers, disability information, gender, race and ethnicity, and more.

“PowerSchool is currently working with CrowdStrike, a leading security consultant, to publish a forensic report that will provide additional information. This report is scheduled to be released Friday, January 17, 2025,” MPCSD said, but that date has passed and the report was not released.

The Toronto District School Board (TDSB), the largest school board in Canada, said this week that the data breach impacts “all those who were students with TDSB between September 3, 1985 to December 28, 2024”.

Four decades of relevant information pertaining to students, and seven years of information pertaining to parents/guardians/emergency contacts, except Social Security numbers and financial or banking information, was stolen, TDSB said. Approximately 1.5 million students were likely affected.

While the stolen information differs for each school district, as they have complete control over what they store in PowerSchool SIS, it appears that the attackers exfiltrated 150 unique fields for every student and 97 unique fields for every staff member.

PowerSchool has not shared information on how many customers might have been affected, but hundreds of school districts across more than 40 US states and tens of school boards in Canada have already revealed being impacted by the incident, with some confirming that hundreds of thousands were affected. At least 2.7 million records are confirmed to have been affected to date.

The hackers reportedly stole the data of more than 6,500 school districts, with the number of potentially impacted individuals likely exceeding 72 million: approximately 62.5 million students and over 9.5 million educators.

At the time of publication, PowerSchool has not responded to a SecurityWeek inquiry on the hackers’ claims, but the company previously said that it will be notifying state attorney general offices and all impacted stakeholders on behalf of its customers.

It is unclear who the threat actor behind the data breach is or how they came by the compromised credential. Reportedly, information stealing malware might have been used to steal the login information of a maintenance account used to manage customer SIS instances.

While PowerSchool said it identified the data breach on December 28, 2024, the attackers likely gained access to the SIS service prior to December 22, when they started exfiltrating customers’ data using an export data manager.

An unofficial guide authored by American School of Dubai SIS Specialist Romy Backus provides details on how school districts can hunt for indicators of compromise (IoCs) and determine whether student data was exfiltrated on December 22, and teacher data on December 23. Other tools to help potentially affected customers are available as well.

PowerSchool customers who were using the SIS service at the time of the incident should review their logs to determine how many individuals were impacted and what type of information was exfiltrated.

PowerSchool has not updated its security incident page since January 17 and numerous questions regarding the data breach remain unanswered. What is clear is that the company is facing backlash as a result of the data breach, as more than 20 lawsuits have already been filed against it.

Although it told customers that the stolen data was deleted and would not be shared publicly, PowerSchool is providing the impacted individuals with two years of free identity theft and credit monitoring services, even if their Social Security numbers were not stolen in the attack.

Related: Wolf Haldenstein Data Breach Impacts 3.4 Million People

Related: Thousands Impacted by Casio Data Breach

Related: Irish Regulator Investigates Instagram Over Children’s Data

Related: Dutch Government Blames a ‘State Actor’ for Hacking a Police Network