PowerSchool Confirms 16,000 UK Students’ Data Stolen in December Breach
U.S. edtech giant PowerSchool has confirmed that 16,000 students in the United Kingdom had their personal and sensitive data stolen during a December 2024 data breach.
Scope of the Breach
This week, PowerSchool began notifying individuals outside of the U.S. and Canada who were affected by the breach. The incident, first confirmed by PowerSchool in January, saw hackers access the personal data of millions of students and teachers after using compromised credentials to breach the company’s customer support portal.
Number of International Students Affected
PowerSchool hasn’t confirmed how many international students have been affected. However, in an emailed statement to TechCrunch, PowerSchool spokesperson Beth Keebler confirmed that four schools in the U.K. were affected, with hackers accessing the data of “approximately 16,000 students.”
Data Exfiltrated
In a letter sent to impacted individuals outside of the U.S. and Canada, seen by TechCrunch, PowerSchool said that data accessed includes students’ contact information, dates of birth, limited medical data, and “other related information”.
Company’s Response
Keebler told TechCrunch that “the information exfiltrated for any given individual varied across our customer base.” PowerSchool declined to name the U.K. schools impacted by the incident.
ICO’s Involvement
Lucy Milburn, a spokesperson for the U.K.’s Information Commissioner’s Office (ICO), told TechCrunch that it had not received a data breach report from PowerSchool. Keeber confirmed the company had not filed a data breach report to the ICO, claiming that this is because PowerSchool “does not act as a data controller” — an organization that determines the purpose and means of processing personal data — under U.K. data protection law.
Conclusion
The PowerSchool data breach has raised concerns over the security of sensitive student data, with 16,000 students in the UK being affected. The company’s decision not to offer credit monitoring services to data breach victims outside of the U.S. and Canada has also sparked criticism. The incident highlights the importance of robust data protection measures to prevent such breaches in the future.
FAQs
Q: How many international students were affected by the PowerSchool data breach?
A: 16,000 students in the UK were affected.
Q: What type of data was exfiltrated in the breach?
A: The exfiltrated data includes students’ contact information, dates of birth, limited medical data, and “other related information”.
Q: Has PowerSchool notified all affected individuals?
A: No, PowerSchool has only begun notifying individuals outside of the U.S. and Canada this week.
Q: Has the ICO received a data breach report from PowerSchool?
A: No, the ICO has not received a data breach report from PowerSchool, which claims it does not act as a data controller under U.K. data protection law.
