As hundreds of school district officials across the country ring alarm bells, Fairfax County Public Schools Superintendent Michelle Reid remained silent this week on the explosive news that cybercriminals have hacked the Student Information System database owned by a global technology company, PowerSchool Holdings Inc., is managed. , Theft of highly sensitive student information, including names, addresses, grades, attendance, enrollment, parent names, social security numbers and medical records, and teacher information.

The FBI’s cybersecurity teams are investigating the hacking attack. According to reports of the cyber theft, Folsom, California-based PowerSchool paid a “ransom” to the hackers who promised to delete the data. Tech experts around the world scoured the dark web last week to find out if the guarantee was true. schools Maine to California have informed their communities about the impact of the breach on their school districts.

The silence from Fairfax County Public Schools leaders raises many unanswered questions among parents, staff and community members and raises concerns about transparency in a school district with a massive $3.8 billion budget and executive salaries on the superintendent’s team over $200,000. In a brief statement, Fairfax County Public Schools spokeswoman Julie Allen said the school’s student information system, known as “SIS,” was not affected.

“There was no impact whatsoever. “To be clear, the violation did not impact FCPS in any way,” Allen said. “The data breach involves PowerSchool SIS. “FCPS does not use PowerSchool SIS.” Allen did not respond to questions about PowerSchool systems that FCPS uses. She also did not answer why Reid had not issued a statement about the hacking of PowerSchool data.

In contrast, Maryland has Frederick County Public Schools issued a statement that two “data tables” containing “teacher and student records” were “affected.” In Massachusetts, Randolph Public School District Superintendent Thea Stovell Herndon issued a “Cybersecurity Memorandum: PowerSchool Data Breach,” which states: “We are writing to share information about a data breach that has affected our school district and many others across the state, country and world.” She noted: “The Situation affects us all.” Maryland’s Charles County Public Schools notified The parents were “not affected” but would “follow this incident closely.”

Fairfax County Public Schools has pumped an estimated $10.7 million into the PowerSchool empire with three contracts dating back years Fairfax County Government Contract Records. Initially, West Interactive Services Corp., later part of PowerSchool, signed the contract in March 2018 Contract number 4400012761Fairfax County Public Schools will pay an estimated $1.1 million for the first five years and about $209,000 per year for subsequent years for a “mass notification system” now set to expire on June 30, 2025.

Second, Naviance Inc., which was later purchased by PowerSchool, signed a contract in June 2018 No. 4400011469expiring June 30, 2025, for an “Academic and Career Planning Resource System” for $712,133.40. Finally, Schoology Inc., which was later purchased by PowerSchool, signed a six-year deal in 2019. No. 44000010012with Fairfax County Public Schools, a total of $8.4 million from 2020 through June 30, 2026 for an “Integrated Learning Management System.”

Big Tech, “EdTech” hack

The incident highlights vulnerabilities in Big Tech’s growing “EdTech” industry, a multibillion-dollar sector that manages sensitive education data. Critics warn about the risks of consolidating such data into the hands of large corporations, often led by “EdTech bros” who prioritize growth over security.

Billionaires like Mark Zuckerberg have invested heavily in education technology, further solidifying the industry’s influence in classrooms across the country. US Attorney General Merrick Garland’s son-in-law, Xan Tanner, co-founded a major EdTech company, Panorama Education.

PowerSchool says it provides cloud-based software systems to approximately 100,000 people worldwide 75% of U.S. school districts covering approximately 18,000 schools worldwide. It says it stores data from about 60 million students. This includes the approximately 183,000 public school students in Fairfax County.

PowerSchool sells school districts a range of tools to optimize school operations, including enrollment, attendance, learning management, analytics and financial systems. The company sells its “Student Information System” called “SIS” as a cornerstone product that helps schools manage student data. This is where teachers upload grades and attendance records for students and parents to access.

On October 1, Bain Capital, a $185 billion private equity firm founded by Utah Senator Mitt Romney, issued $5.6 billion to purchase PowerSchool. Two other well-known investment firms – Vista Equity Partners and Onex Partners – are minority investors in PowerSchool.

Why the big money? Big data – especially in the highly protected children’s market – means more big money. And cybercriminals know this too.

The hack and its global impact

Hackers broke into PowerSchool’s system between December 19th and 28th, just two and a half months after the expensive purchase. PowerSchool’s communications with customers said they stole children’s names, addresses, Social Security numbers, medical records, grades and other personal information. PowerSchool “has become aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information,” the company said in a statement provided by Evan Roberts, senior managing director of crisis and litigation at FTI Consulting Inc. a global consulting firm based in Washington, D.C., sent to the Fairfax County Times

On Tuesday, January 7, PowerSchool sent a “Cybersecurity Incident Notification” to customers. Immediately the messaging platform Reddit exploded Tech administrators from school districts around the world expressed shock at the news, shared tips on assessing any damage, criticized PowerSchool’s confusing, mixed messaging to their school systems, and figured out what happened. A technical publication, Bleeping Computer, reported the news late at night.

There has been frustration among IT administrators on Reddit all week. A thread in “r/k12sysadminThe community began: “Is anyone else affected by the PowerSchool SIS compromise?”

One comment criticized PowerSchool’s “backdoor” access to customer support, which enabled the breach even for districts that had disabled remote access. Another commenter noted PowerSchool’s opaque and inconsistent communications that left districts in the dark about the extent of their data compromise.

The next day, Wednesday, January 8, school districts across the country began sending impact statements to parents and staff. Through Thursday, January 9, school districts in Michigan, including Kalamazoo and Paw Paw Public Schools, will issued Early notifications that clarify what data has been accessed.

Although the Fairfax County School Board held a public meeting Thursday, school district superintendent Reid did not learn of the violation throughout the evening.

School district leaders are in until Friday, January 10th Nebraska, Central Ohioand Long Island’s Massapequa School District informed parents and teachers of the impact of the violation.

The breach affected various districts, from Cromwell Public Schools in Connecticut to Elkhorn Public Schools in Nebraska, with data compromises of varying degrees reported. Some districts found breaches of demographic and contact information, while others said Social Security numbers were not stored in their PowerSchool systems.

A breach of trust and growing concerns

The lack of an official statement from one of the nation’s largest school systems raises questions about the district’s transparency and preparedness in dealing with such crises.

As the investigation continues, cybersecurity experts warn that the stolen data could resurface despite PowerSchool’s assurances that it would be deleted. For families and educators, the breach is a stark reminder of the vulnerabilities in an increasingly digital education system.

The statement from PowerSource’s crisis management firm said: “As soon as we learned of the incident, we immediately activated our cybersecurity response protocols and mobilized a cross-functional response team that includes senior leadership and external cybersecurity experts.”

It continued: “PowerSchool is not experiencing or expecting any business interruption to occur and is continuing to provide services to our customers as usual.” We have no indication that other PowerSchool products were affected by this incident. “

It concluded: “We take our responsibility to protect the privacy of students, families and educators extremely seriously and are committed to providing resources and support to affected customers, families and educators as they address this issue together.”

Parents who heard about the breach are waiting for a statement from the school district in Fairfax County, while affected districts nationwide are grappling with the fallout and offering “credit monitoring” and “identity protection” services to those affected.

On Reddit, school district system administrators expressed skepticism that they would get the full story from the email communications sent to them by PowerSchool officials. One expressed frustration with the company’s blanket assurances and added a parenthetical caveat with a swear word in an acronym, reflecting technology experts’ growing frustration with the hacking: “But don’t worry; They “address the situation in an organized and thorough manner.”