WASHINGTON, D.C. (WTWO/WAWV) — Senators Jim Banks (R-Ind.), Maggie Hassan (D-N.H.) and James Lankford (R-Okla.) are seeking answers from PowerSchool and Brain Capital executives after a cyberattack in December compromised the personal data of thousands of students and staff nationwide.
PowerSchool, the largest provider of cloud-based education software for K-12 education in the country, notified schools about the incident in December of 2024.
A report from BleepingComputer, a cybersecurity news outlet, said the data breach impacted more than 62 million students and over 9.5 million teachers across 6,500 school districts.
According to a press release from Sen. Banks, the attack affected around 200 school districts in Indiana. WTWO/WAWV previously reported that Clay Community Schools were among the 200 school districts in Indiana affected by the attack.
The stolen data primarily contains contact information like names, addresses and dates of birth. However, it could also include more sensitive info like Social Security numbers and “limited medical alert information,” according to PowerSchool.
A company spokesperson told NewsNation that most individuals, more than three-quarters, did not have Social Security numbers exposed in the breach.
The type of data exposed varies by district due to different state and district policies, but there is no evidence that credit card or banking information was involved, PowerSchool said.
Clay Community Schools Superintendent Timothy Rayle said that they were notified about the attack on January 7. This led to social security numbers along with other personal information of 9th-12th grade students being stolen.
Rayle added parent or guardian information, and some staff members information was also stolen. Rayle said that there is nothing that the school corporation could’ve done to stop this from happening.
“PowerSchool had a maintenance program that we were unaware of that had an export ability with a password which was stolen,” said Rayle. “This password was the same for every school district, so without us knowing that, we never would’ve allowed a maintenance program with an export.”
NewsNation reports Indianapolis Public Schools also confirmed it was affected, stating that some of its student and employee data were compromised as part of the breach.
IPS said its student director information, student demographic information, student medical alert information and parent/guardian directory information were compromised.
The district added that employees who have PowerSchool accounts had directory information and the last four digits of their social security numbers compromised.
The senators say inadequate cybersecurity measures, delayed notifications and poor communication from the company led to the cyberattack, according to a press release.
In part, the Senators wrote “We write to express significant concern about the risks that students, staff, and school districts face after malicious actors stole their personal data in a cyberattack on your company’s information systems. According to recent reports, malicious actors breached PowerSchool’s SIS service and stole this sensitive data, putting students and staff at significant risk of identity theft. School district leaders who we have spoken with raised serious concerns about delays in your company’s response to the cybersecurity incident, including delayed notifications to impacted schools.”
To read the Senator’s full letter to CEO of PowerSchool Hardeep Gulati and CEO of Brain Capital Micheal Ward, click here.
