A massive nationwide data breach at a California-based educational software provider has affected thousands of Minnesota students.

In the metro area, the breach at PowerSchool affected the St. Louis Park and Stillwater school districts, at the least. The Caledonia, Braham and Sauk Centre districts also were hit.

"The reach is quite large," said Doug Levin, national director of K12 Security Information Exchange, a nonprofit cybersecurity watchdog group. "It is to the best of my knowledge the largest cybersecurity incident that's impacted [kindergarten through 12th grade] education in the U.S."

The Star Tribune was unable to confirm how many schools were impacted. At least 15 public school districts and about 25 charter schools in Minnesota use the PowerSchool software that was breached, according to state records and a Star Tribune analysis.

Public schools and governments must report data breaches to Minnesota IT Services, the state's information technology arm. But Minnesota IT Services declined to name schools hit by the PowerSchool breach, or say what districts or how many students were affected.

A state law passed last year that requires breach reporting treats the information as nonpublic, the office said.

Shari L. Gross, The Minnesota Star Tribune
The Stillwater school district was affected by the PowerSchool breach, according to its director of information technology. The district, which has about 8,500 students, immediately launched its own forensics investigation, he said. Shown is Stillwater High School in 2024.

PowerSchool discovered in late December that hackers had purloined data from its student information system, an online portal used by students, parents and teachers.

The company, a market leader in K-12 educational software, has not said how many people were affected nationwide, but it's likely to be in the tens of millions, Levins said.

At Stillwater Area Public Schools, student records go back to about 2020, said Eric Simmons, the district's technology director. "We are monitoring the incident, and we are concerned about it."

PowerSchool notified Stillwater — and districts across the country — of the breach Jan. 7. The initial information was "pretty vague," Simmons said.

The Stillwater district, which has about 8,500 students, immediately launched its own forensics investigation, he said.

By the next day, "we were able to figure out what data was affected. It was a lot of basic demographic data for a lot of our students — names, addresses, phone numbers — but no financial information or Social Security numbers."

The Stillwater district has its own third-party cyber forensics vendor, which helped with the investigation.

"There are a lot of school districts in Minnesota that don't have the resources to do that," Simmons said.

Most U.S. schools use third-party vendors such as PowerSchool to run their student information portals, said Levin from the cybersecurity nonprofit. Student information systems contain all sorts of data, including grades and attendance.

"It is essentially who the student is, who their teachers are and who their parents are — sort of the crown jewels of student information," Levin said.

PowerSchool has 18,000 customers in 90 countries, including more than 90 of the 100 largest U.S. school districts, according to Bain Capital, a private equity firm that bought PowerSchool for $5.6 billion in October 2024.

PowerSchool says on its website that it took "immediate action" to contain the data breach, auditing and bolstering its security systems. The company has offered complimentary identity protection services to breach victims.

PowerSchool declined to comment beyond its online statements.

PowerSchool became aware Dec. 28 that hackers had extracted data between Dec. 19 and Dec. 23, according to a report by the cybersecurity firm CrowdStrike, posted on PowerSchool's website.

Data exposed included student and teacher names, contact information, birth dates and in some cases, medical information and Social Security numbers.

Currently, St. Louis Park Public Schools does not collect students' Social Security numbers, but the information has been collected in the past, said Ashley Sukhu, a district spokeswoman.

Social Security numbers of district employees were not compromised in the hack, she said.

Beyond that, "it's uncertain as to what information was compromised," she said.

The St. Louis Park district has 5,000 students, though it has records on students going back to the 1990s — and they too could have been exposed. Schools often maintain many years of student records.

PowerSchool had a good reputation for cybersecurity. Prior to the breach, it had been audited by outside IT experts, "something that companies do to signal they take cybersecurity seriously," Levin said.

Yet PowerSchool was hacked by someone who possessed leaked or stolen credentials and didn't require multifactor authentication — just a username and password, Levin said.

"There is no question PowerSchool had a failure of controls," he said.

Many lawsuits have been filed in regard to the PowerSchool breach.

The tech news website Bleeping Computer, cybersecurity expert Brian Krebs and NBC News all reported in January that PowerSchool paid the hackers to stop them from disclosing stolen data on the dark web, an online market for criminals.

That's what Craig Ihrke, superintendent of the 700-student Caledonia school district in southeastern Minnesota, heard from PowerSchool, too.

"The information we got from them was that they paid a ransom to the bad actor so the bad actor wouldn't go out and disseminate it," he said.

Paying ransoms is controversial. "It's a tough call for a school district," Levin said. "They're between a rock and a hard place."

In February 2023, hackers culled the data of about 105,000 students and employees of Minneapolis Public Schools, demanding $1 million ransom.

The district didn't pay, and sensitive student information was dumped onto the dark web, one of the worst outcomes of any U.S. school hack.

Still, paying ransom can be an incentive for criminals to continue hacking. "They have a business model that is proven to work," Levin said.

Plus, there's no guarantee cybercriminals won't renege on their promise. "I would take that with a huge grain of salt," Levin said.

Schools could continue to be a target. Many districts have outdated computer systems and understaffed IT departments.

"K-12 education continues to be targeted because it's seen as low-hanging fruit," said Simmons of the Stillwater district.