February 13, 2025
After a review of the facts available and multiple attempts to obtain additional information from PowerSchool, the Future of Privacy Forum (FPF) has removed PowerSchool from the list of Student Privacy Pledge signatories.
Earlier this year, PowerSchool confirmed widespread media reports that it had experienced a data breach. According to reports, PowerSchool “confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.” FPF initiated a review, seeking to determine whether the company’s practices were and are consistent with its Pledge commitments, specifically with respect to technological safeguards in place to protect the security of data. Publicly available information appears to confirm that PowerSchool had failed to use multi-factor authentication on the breached account. Such a failure would potentially violate Pledge provisions, including commitments to:
“maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of Student PII – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information”
PowerSchool did not provide additional information in response to FPF’s outreach within our standard 30-day review period. The list of Student Privacy Pledge signatories has been updated accordingly.
