I'm a security editor and after the massive 70 million PowerSchool data breach — I started asking questions about how it affects my kids

children in school on their laptops with teacher in front of class
(Image credit: Shutterstock)

Like many other parents, last month I got an email from my school district. It said that the district had been notified about a potential security incident involving PowerSchool, the app I use for my kid’s school.

It tracks their attendance, has information about who’s allowed to pick them up in case of emergencies, includes medical information.

My first thought was: That did not take any time at all. I knew once my kids started school, I should be prepared for the possibility that they would get caught up in a data breach eventually but they haven’t even completed their first year.

My second thought was sympathy for the administrators because, as a parent and a security editor, I was going to have some pretty detailed follow-up questions. While the initial email from PowerSchool, and the dedicated website, did answer a lot of the questions I would ask about any data breach, I was left with some specific questions about how this breach was affecting my school district and my family.

Here’s what I recommend you ask if you’ve been affected by the PowerSchool data breach, or if you find your kids or school involved in a similar situation.

The PowerSchool breach: What happened and where to start asking questions

My first questions were the big, overall questions that anyone would want to know about a data breach – what happened? When did PowerSchool notice the breach? And what did they do to contain or correct the breach?

These answers were answered both in the email and on the website: On December 28th, 2024, PowerSchool realized they had a cybersecurity issue on their hands, involving unauthorized access to their Student Information System (SIS) via the community-focused customer portal, PowerSchool.

PowerSchool did share that the information that was exposed may have included names, contact information, birthdates, limited medical information and (in some cases) Social Security numbers

No operations were disrupted; no malware or continued activity occurred; and PowerSchool immediately activated its protocols, including cybersecurity responses, third-party experts and an investigation.

PowerSchool included additional information on the site and in the email that answered my following questions: What kind of data was leaked? How many people were affected? Where do people go for further information? What steps do we need to take to get our personal information protected? Are credit monitoring or identity theft monitoring services being provided and if so, how do I access those services?

While they didn’t disclose how many people were affected, PowerSchool did share that the information that was exposed may have included names, contact information, birthdates, limited medical information and Social Security numbers (depending on whether or not the district in question stored that information in their SIS system).

PowerSchool’s statement said the majority of individuals did not have medical information or Social Security numbers involved; later news reports said that as many as 70 million students and educators across 6,500 districts may have been affected.

PowerSchool is notifying regulators, meaning Attorney Generals, on customers behalf as well as students, parents and guardians and offering complimentary identity protection services including credit monitoring services for those who have been affected. Information on how to access those services are available on their website about the data breach.

Where to keep asking questions: What I asked my district

PowerSchool logo

(Image credit: PowerSchool)

While the PowerSchool website answered a lot of my general questions, I still had some specific ones – that pertained more to my school district, and to my family.

For example, was my district one of the ones that was affected by this breach? I hadn’t been notified that it had been but the email I had been sent seemed vague and I wanted to know specifically if I needed to proceed with looking into identity theft or credit monitoring services for my children.

I had more questions as well, like does my district have an SIS with PowerSchool, and if so, what do they store about my child on it? Is it cloud-based or an on-premise database? Does it use multi-factor authentication? Is my district planning on continuing to use PowerSchool? If so, how will they continue to inform us or update us about this breach? And how many other parents have had questions or concerns about the PowerSchool breach?

Some of the responses I got were surprising, and some were not as reassuring as I had hoped but I will say that everyone I contacted at my district was entirely forthcoming and helpful in getting me replies. No one, other than myself, had contacted them with any questions or concerns about the breach. Not a single parent in the entire district. This was very surprising to me.

PowerSchool's lack of transparency when it comes to how many people are affected, as well as the timeline for when to expect support, and the lack of information about the CrowdStrike investigation create a murkiness around the breach.

In response to my question about whether or not my district was affected by the breach, I was told “We are still waiting for the results of the internal PowerSchool investigation before being able to determine the scope of the breach with regards to our rosters.”

That’s fairly concerning, considering the initial email seemed to indicate that our district was not affected. If I need to look into identity theft protection or credit monitoring for my children, I’d rather start that process sooner rather than later – and I know that CrowdStrike completed their investigation for PowerSchool last month.

My contacts at my district were able to tell me about what kind of SIS my district has, what it has stored on it, and that they are working with their insurer to "review current cybersecurity measures and develop additional measures such as district-wide MFA and Titan USB key usage."

While this is reassuring there isn't an expected date as to when this will all roll-out, and given the increased need for additional security features when it comes to breaches, these types of added protections are becoming more and more important.

Lastly, I was told that while my district plans to continue to use PowerSchool, they will also keep parents informed about the breach as they are made aware of developments — and that PowerSchool will be reaching out to individual families affected by the breach. But the district website has a letter with updated information that wasn't sent directly to parents.

The PowerSchool website does not give any indication as to how long they expect it will take to notify families and includes a disclaimer that Experian or TransUnion may notify families who were affected, and for those who they had appropriate contact information. But if families are not expecting to be contacted by those companies, or don't know that their contact information isn't complete, they may slip through the cracks without being aware.

PowerSchool's lack of transparency when it comes to how many people are affected, as well as the timeline for when to expect support, and the lack of information about the CrowdStrike investigation create a murkiness around the breach although they have been largely forthcoming.

The back and forth from my district about whether or not it was actually involved in the breach creates anxiety in me as a parent, because I don't know how to respond. While it's never easy to handle a data breach of this magnitude, and everyone is doing their best, it's also worth learning from what we could do better – because there's going to be a next time.

More from Tom's Guide

Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
An open lock with a digital background and a cross and bones indicating a cyberattack
More than 70 million students and teachers had their personal data stolen in PowerSchool breach
Surfshark graphic of 2024 data breaches
Nearly 700 million American records were leaked in 2024
Cartoon of person peering through US flag
Western governments want your data and big tech is happy to provide – how to slow them down
An open lock depicting a data breach
The top 10 data breaches of 2024
A picture showing different credit cards stacked on top of each other on a table
5 million Americans just had their credit card details leaked online — what to do now
An open lock depicting a data breach
3.5 million hit in major law firm data breach — full names, SSNs, dates of birth, addresses and more exposed
Latest in Online Security
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
iPhone 15 Pro Max shown in hand
5 iPhone settings you should always shut off — because they’re a security nightmare
A woman using her laptop securely with a cup of coffee in hand
5 common mistakes people make when shopping for antivirus software
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Latest in Features
ChatGPT running on phone with laptop in the background
I didn't think I'd have any use for ChatGPT Deep Research — 7 ways it's improved my daily life
Apple TV hand gestures
Say goodbye to your TV remote — how interactive gestures and AI could reshape the way we watch
InfinaCore P3 Pro Portable Power Bank.
I ditched all my phone chargers for this amazing MagSafe power bank — and it also charges my laptop
Proton VPN logo and in-app screenshots
"If you control online, you control everything" – Proton is taking the fight to internet censorship
A woman with dark hair lies in bed yawning because she is so tired and ready to sleep
Tired all the time? Sleep experts share how to tackle hypersomnia — plus what might be causing it
woman lifting dumbbells
I tried this 3-move shoulder workout — here’s what happened to my upper body