Skip to content
Newsletter Signup
  1. News
  2. Press Releases
Published:

Senators Hassan, Banks, and Lankford Demand Accountability from PowerSchool Following Major Student Data Breach

WASHINGTON – U.S. Senators Maggie Hassan (D-NH), Jim Banks (R-IN), and James Lankford (R-OK) are demanding answers from PowerSchool and Bain Capital executives following a significant cyberattack that compromised the personal data of thousands of students and staff nationwide. The Senators cite inadequate cybersecurity measures, delayed notifications, and poor communication from the company, whose software manages sensitive student and staff information for thousands of schools in the United States, including schools across New Hampshire. 

“We write to express significant concern about the risks that students, staff, and school districts face after malicious actors stole their personal data in a cyberattack on your company’s information systems,” wrote the Senators. “According to recent reports, malicious actors breached PowerSchool’s SIS service and stole this sensitive data, putting students and staff at significant risk of identity theft. School district leaders who we have spoken with raised serious concerns about delays in your company’s response to the cybersecurity incident, including delayed notifications to impacted schools.” 

“According to reports, your company failed to put in place basic cybersecurity safeguards – such as multi-factor authentication – that could have helped to prevent the cyberbreach,” the Senators continued. “Your company also has not clearly communicated a date by which impacted individuals will receive free identity protection and credit monitoring services. Your delayed and unclear communication is unacceptable, especially given the sensitive nature of the personal data that was stolen. We urge you to immediately notify all impacted individuals and provide them with these protective services.” 

Click here to see the full letter or see text below: 

Dear Mr. Gulati and Mr. Ward:

We write to express significant concern about the risks that students, staff, and school districts face after malicious actors stole their personal data in a cyberattack on your company’s information systems. We urge PowerSchool to immediately notify all students and staff whose personal data may have been compromised, provide impacted individuals with identity protection services free-of-charge as soon as possible, and provide answers to questions regarding your company’s reported cybersecurity failings.

More than 16,000 customers use PowerSchool’s software products to serve 50 million students in the United States.[1] Schools use PowerSchool’s Student Information System (SIS) service to manage student enrollment, attendance, grades, and records – as well as school staff records. These records could include dates of birth, Social Security numbers, home addresses, health information, and other private, personally identifiable information.

According to recent reports, malicious actors breached PowerSchool’s SIS service and stole this sensitive data, putting students and staff at significant risk of identity theft. School district leaders who we have spoken with raised serious concerns about delays in your company’s response to the cybersecurity incident, including delayed notifications to impacted schools. While the breach occurred as early as December 19, 2024, you failed to detect it until December 28, 2024.[2] Moreover, you did not notify SIS customers of the incident until January 7, 2025 – nineteen days after the incident.

Your company also has not clearly communicated a date by which impacted individuals will receive free identity protection and credit monitoring services. Your delayed and unclear communication is unacceptable, especially given the sensitive nature of the personal data that was stolen. We urge you to immediately notify all impacted individuals and provide them with these protective services.

According to reports, your company failed to put in place basic cybersecurity safeguards – such as multi-factor authentication – that could have helped to prevent the cyberbreach. Moreover, since the cybersecurity incident, PowerSchool has reportedly hired a cybersecurity technology company to conduct an analysis of the incident. This is an important step toward accountability and regaining the trust of your customers and the public. We ask you to be transparent with the analyst’s findings, and we request your prompt and comprehensive answers to the following questions:

  • Please detail the timeline of events from the date that the SIS cybersecurity incident occurred through today.
  • How many individuals across the United States had their data compromised by the December 2024 cyberattack on SIS? Please provide a breakdown of the number of current and former students and school staff who were impacted by state and school district.
  • What assistance have you provided to states, school districts, and schools that were impacted by the data breach, and what supports will you provide them moving forward? 
  • How far back do the compromised records go? For instance, if a school used SIS services 10 years ago but no longer does, was that school impacted by the breach?
  • What assistance have you provided to states, school districts, and schools that no longer have an active SIS contract but are past clients and whose data was compromised?
  • Schools may use several PowerSchool software products. Were any of your other software products compromised by the cybersecurity incident? If so, was student and staff data accessed, and what are your plans to notify and support impacted individuals?
  • Please provide a date by which your company will fulfill its stated commitment to provide two years of complimentary identity protection and credit monitoring services to students and staff whose personally identifiable information was compromised. Do you commit to providing these services to all impacted students and staff even if it is not required by state law or your contracts? Did your company require multi-factor authentication for PowerSchool employees and contractors at the time of the breach? If not, why, and will you commit to requiring the use of this cybersecurity safeguard moving forward?
  • How swiftly did you notify federal, state, and local law enforcement about the cybersecurity incident, and are you cooperating with any investigations they may have underway into the incident?

Thank you for your attention to this important matter. We ask that you reply no later than March 7, 2025.

###