PowerSchool disclosed a breach in January 2025 in which threat actors accessed its support platform using compromised credentials, potentially exposing records of students and staff across schools in the US and Canada. Exposed data included names, addresses, Social Security numbers, medical information, and grades affecting over 60 million students.
PowerSchool
K-12 student information system handling enrollment, grades, attendance, and parent portals.
Recent threats
Newfoundland and Labrador's Office of the Information and Privacy Commissioner released Report P-2026-001 on May 11, 2026, examining the PowerSchool Student Information System cyber attack that exposed personal data of students, parents, and teachers across the province's K-12 system. The report finds that records dated back to 1995 for students and 2010 for teachers, and that 244,917 student MCP (medical care plan) numbers were among the data taken. Investigators concluded the core failure was PowerSchool not meeting its own contractual security commitments, compounded by insufficient oversight by the provincial Department of Education. The Commissioner issued recommendations to tighten contracts, improve monitoring of PowerSchool's compliance, directly notify a subset of current students whose Social Insurance Numbers may have been affected, and cease collection and retention of MCP numbers. The findings align with parallel investigations by privacy commissioners in Ontario, British Columbia, and Saskatchewan into the same PowerSchool breach.