PowerSchool hack: How Virginia student data may have been exposed
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Brendan Lynch/Axios
Per a general 2024 student data privacy agreement listed on PowerSchool's website, the data in the system include "but are not limited to":Data belonging to an unknown number of Hanover County Public Schools students was stolen in a recent breach of a major education technology provider.
Why it matters: Kids aren't immune to identity theft, and an increasing number of them are encountering identity fraud before turning 18, according to recent surveys.
Driving the news: Earlier this month, Hanover schools notified its roughly 17,000 students about a data breach at PowerSchool, an education technology company that works with 75% of all K-12 school districts in the U.S.
- The hack happened between Dec. 19-22 and PowerSchool became aware of it on Dec. 28.
- The data breached includes student names and addresses, parent contact information, teacher names and schedules.
- In a Jan. 14 update, Hanover assured families and staff that Social Security numbers aren't stored in PowerSchool and weren't compromised.
The big picture: About 85 public school districts in Virginia — or roughly 65% — use PowerSchool, according to a list of current members statewide.
- Evan Roberts, a crisis and litigation communications consultant on behalf of PowerSchool, told Axios the company can't share how many Virginia schools were involved in the hack due to the ongoing investigation.
- Roberts added the "data may vary in volume and sensitivity by school district" but "we expect the majority of involved customers did not have social security numbers or medical information exfiltrated."
Zoom in: Richmond and Chesterfield schools don't use the PowerSchool Student Information System so they weren't affected.
- Henrico does, but spokesperson Eileen Cox told Axios that its data "does not currently appear to be impacted" and they remain in contact with the tech company.
- Media reports have indicated that at least Charlottesville, Fluvanna, Russell, Botecourt and Salem schools' information was breached.
Per a general 2024 student data privacy agreement listed on PowerSchool's website, the data in the system include "but are not limited to":
- Class lists, health records, student discipline files, student course schedules and personally identifiable information — which can be Social Security numbers.
The latest: PowerSchool has said the threat was contained and the stolen data was deleted as it paid money to prevent the hackers from sharing it, per Hanover schools.
- That's not a guarantee, and once hackers have stolen someone's data, there are only a few options for people.
- For people whose information was involved, PowerSchool is offering two years of free identity protection and credit monitoring services.
What we're watching: It's still unclear how many students' information was at risk in Virginia, and what exact information was hacked statewide.
Go deeper: