BIRMINGHAM, Ala. – A cybersecurity breach targeting K-12 information giant PowerSchool has raised concerns about the security of student and teacher data, Alabama State Superintendent Eric Mackey told Alabama Daily News on Wednesday.
“This was an international incident where PowerSchool was hit off-site, and so there’s nothing that our districts or the State Department could have done differently,” Mackey said.
The data hackers accessed is categorized as “directory data,” which typically is less sensitive information, but can include students’ and educators’ names, address and phone numbers.
“We’re still working with PowerSchool on specifics,” Mackey said.
While it does not appear that any sensitive data was compromised, Mackey acknowledged that any breach is concerning.
“Obviously, we’re very concerned about this – concerned about it every day – because there’s just no way to ever completely say all of this data is 100% secure,” he said.
PowerSchool hosts applications to help K-12 schools manage their information systems. It informed customers in a letter, later published in news reports, that the breach was discovered on Dec. 28. The hackers gained access through the company’s PowerSource portal, which hosts information on students and teachers. However, the letter stated that no other PowerSchool products were affected.
The FBI is investigating the incident, but neither the agency nor PowerSchool has issued public statements about the breach.
This latest incident comes less than a year after the Alabama Department of Education experienced its own data breach. That attack involved sensitive employee and student records, including bank account information and student identification numbers. Mackey said the incident is technically closed, and none of the information has appeared on the dark web.
In response to last year’s breach, the Department invested heavily in cybersecurity.
“We’ve spent hundreds of thousands of dollars and added multiple layers or security to our internal data, and I can say for sure it’s a lot more secure today than it was a year ago,” Mackey said.
Cyberattacks on schools have become increasingly common, with Alabama school districts being hit in recent years. A ransomware attack on Jefferson County schools in 2023 disrupted operations for months.
Experts say schools often lack the resources to adequately protect their systems from cyber threats. A federal website devoted to cybersecurity in K-12 schools offers resources to help schools safeguard data but notes the challenges posed by limited budgets and outdated systems.
Recognizing these vulnerabilities, Alabama lawmakers have allocated funds in recent years to strengthen school cybersecurity. However, the sheer number and evolving nature of cyber threats means the risk of future attacks remains high.