A U.S. school district affected by a recent cyberattack by edtech giant PowerSchool told TechCrunch that hackers accessed "all" historical student and teacher data stored in student information systems.

PowerSchool, whose school records software is used to support more than 50 million students across the U.S., was breached in December when credentials were stolen from the company's customer support portal, allowing access to vast troves of personal data belonging to students and teachers at K- 12 schools. It has not been disclosed whether the attack was carried out by a specific hacker or group.

PowerSchool has not disclosed how many school customers were affected. However, two unnamed sources at the affected school districts told TechCrunch that the hackers accessed a large amount of personal data on current and former students and teachers.

"In our case, I just confirmed that they had access to historical data for all students and teachers," a person from the affected school district told TechCrunch. While PowerSchool said hackers had access to its data since late December, the district's logs show the attackers had gained access earlier, the person added.

Another person who works for a school district with nearly 9,000 students told TechCrunch that the attackers obtained "demographic data for all teachers and students, active and historical, for as long as we've had PowerSchool."

"We've seen this access in the logs and (PowerSchool) has disclosed it on customer calls," the second person said. They added that PowerSchool did not protect affected systems with basic protections such as multi-factor authentication.

When contacted by TechCrunch, PowerSchool spokesperson Beth Keebler did not dispute the customer's account but declined to discuss its security controls, citing company policy. When asked if PowerSchool uses multi-factor security in its operations, Keebler said the company "does use MFA," but did not elaborate.

Multiple school districts have publicly released information about how PowerSchool breaches affected their students and staff. The Menlo Park City School District, another school district affected by the PowerSchool breach, also confirmed that its historical data was accessed during the breach. The California school district said in a notice posted on its website that the hackers obtained data on "all current students and staff," as well as those dating back to the beginning of the 2009-2010 school year.

PowerSchool spokesperson Keebler declined to comment on the scale of the data breach, but told TechCrunch that PowerSchool has "identified the schools and districts involved in the data." The company declined to publicly name those schools or districts.

Keebler said PowerSchool is still working to identify specific individuals whose data may have been accessed.

In a sign of the scale of the breach, Marc Racine, CEO of RootED Solutions, a Boston-based education technology consulting firm, said in a blog post this week that the PowerSchool breach also affected school districts of former PowerSchool clients. could expand beyond the organization's current 18,000 education customers.

Racine added that some districts are reporting that the number of affected students is four to 10 times higher than the number of students actively enrolled in the district.

According to a PowerSchool FAQ that TechCrunch shared with customers last week, the data stolen in the breach includes individual names and addresses, Social Security numbers, some medical and grade information, and other unspecified personally identifiable information belonging to students and teachers. .

The California school district Rancho Santa Fe affected by the hack, one of the first PowerSchool customers to file a data breach notification with state regulators, said the attackers also gained access to teachers' credentials to access PowerSchool.

When asked by TechCrunch, Keebler said, "The types of data stored in the Student Information System (SIS) platform, as well as retention policies for historical data, vary based on individual customer and state requirements."

"While our data review is ongoing, we anticipate that most of the customers involved did not have their Social Security numbers or medical information compromised," Kibler told TechCrunch in a statement on Tuesday.

PowerSchool told TechCrunch last week that it had taken "appropriate steps" to prevent the stolen data from becoming public and said it "believes the data has been deleted without any further copying or dissemination." The company did not provide specific steps it took and declined to disclose What evidence does the company have that the stolen data was deleted?

Do you know more about the PowerSchool data breach? We'd love to hear from you. From a non-work device, you can contact Carly Page securely via Signal (+44 1536 853968) or email carly.page@techcrunch.com.