PowerSchool theft latest: Decades of Canadian student records, data from 40-plus US states feared stolen

Updated Canada's largest school board has revealed that student records dating back to 1985 may have been accessed by miscreants who compromised software provider PowerSchool.

The Toronto District School Board, or TDSB, which serves about 240,000 students across 588 schools in the Toronto area, confirmed Monday that whoever broke into PowerSchool's database would have been able to get their hands on kids' sensitive personal info.

PowerSchool runs a cloud-based student information management system for 18,000-plus education customers that holds records on at least 60 million K-12 students worldwide, primarily in North America. These customers each get an instance of the PowerSchool SIS (student information system), which holds their data.

The biz revealed earlier this month that crooks gained unauthorized access to these instances and were able to extract records of children and educators in December. A webpage dedicated to the intrusion, with information for teachers and students, has been set up here.

The California-based developer has paid a ransom to the thieves to hopefully keep the pilfered data under wraps. It said it suffered a straight-up network intrusion rather than a ransomware infection. "We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination," the software maker told customers this month.

Whoever broke in would have been able to, depending on the customer and circumstances, access data including names, genders, home addresses, phone numbers, dates of birth, grades, health card numbers, and Social Security numbers. Additionally, for students enrolled since September 1, 2017, the security breach may have exposed some medical details as well as parent, guardian, or caregiver contact information.

"With respect to medical information, if you provided information to your child’s school about your child’s allergies, medical conditions, or injuries when completing the start of school year forms, this information was included in the data that may have been accessed or acquired," wrote Stacey Zucker, interim director of education for the TDSB in a letter this week to the parents.

"PowerSchool has reported that it received confirmation that the data acquired by the unauthorized user was deleted and that the data was not posted online," Zucker added.

• Database tables of student, teacher info stolen from PowerSchool in cyberattack
• Schools bombarded by nation-state attacks, ransomware gangs, and everyone in between
• Cybercriminal devoid of boundaries gets 10-year prison sentence
• Datacus extractus: Harry Potter publisher breached without resorting to magic

Canada's not alone in dealing with the fallout of the PowerSchool security breach. Reports indicate that schools in more than 40 US states have also been affected in one way or annother. So far Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Georgia, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Wisconsin, and Wyoming. The British Overseas Territory of Bermuda has also reported problems.

PowerSchool is also facing a flurry of lawsuits, with more than 20 currently filed against the biz from what we can observe from the US court system alone. We've asked the biz for comment.

Though the software provider stated the exfiltrated data has now been deleted, we'll have to see if the criminals will keep their word on that front. The Register is keeping an eye on the usual ransomware dark web sites and nothing from PowerSchool has been posted yet. ®

Updated to add

Bleeping Computer has some interesting stats from sources: Whoever took the data claims to have swiped personal records on 62.4 million students and 9.5 million teachers in 6,505 school districts in the US, Canada, and other countries.

It also reported that a customer support tool called an export data manager was used to dump student and teacher tables from customers' PowerSchool SIS instances in CSV format to steal. A miscreant was able to use a compromised credential to gain access to a support portal called PowerSource, which allows PowerSchool staff to access and manage customer SIS instances. The export tool was then used to grab personal data on millions of people from those instances.