Were only a few months into 2025, but the recent hack of U.S. edtech giant PowerSchool is on track to be one of the biggest education data breaches in recent years.PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students across North America, first disclosed the data breach in early January 2025.The California-based company, which Bain Capital acquired for $5.6 billion, said an unknown hacker used a single compromised credential to breach its customer support portal in December 2024, allowing further access to the companys school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment.While PowerSchool has been open about some aspects of the breach for example, PowerSchool told TechCrunch that the breached PowerSource portal did not support multi-factor authentication at the time of the incident several important questions remain unanswered months on.TechCrunch sent PowerSchool a list of outstanding questions about the incident, which potentially affects millions of students.PowerSchool spokesperson Beth Keebler declined to answer our questions, saying that all updates related to the breach would be posted on the companys incident page. On January 29, the company said it began notifying individuals affected by the breach and state regulators.Many of the companys customers also have outstanding questions about the breach, forcing those affected to work together to investigate the hack.In early March, PowerSchool published its data breach postmortem, as prepared by CrowdStrike, two months after PowerSchool customers were told it would be released. While many of the details in the report were known, CrowdStrike confirmed that a hacker had access to PowerSchools systems as early as August 2024.Here are some of the questions that remain unanswered.PowerSchool hasnt said how many students or staff are affectedTechCrunch has heard from PowerSchool customers that the scale of the data breach could be massive. But PowerSchool has repeatedly declined to say how many schools and individuals are affected, despite telling TechCrunch that it had identified the schools and districts whose data was involved in this incident.Bleeping Computer, citing multiple sources, reported in January that the hacker responsible for the PowerSchool breach accessed the personal data of more than 62 million students and 9.5 million teachers.When asked by TechCrunch, PowerSchool declined to confirm whether this number was accurate.PowerSchools filings with state attorneys general and communications from breached schools, however, suggest that millions of people likely had personal information stolen in the data breach.In a filing with the Texas attorney general, PowerSchool confirmed that almost 800,000 state residents had data stolen. A January filing with Maines attorney general said at least 33,000 residents were affected, but this has since been updated to say the number of impacted individuals is to be determined.The Toronto District School Board, Canadas largest school board that serves approximately 240,000 students each year, said the hacker may have accessed some 40 years worth of student data, with the data of almost 1.5 million students taken in the breach.Californias Menlo Park City School District also confirmed the hacker accessed information on all current students and staff which respectively number around 2,700 students and 400 staff as well as students and staff dating back to the start of the 2009-10 school year.PowerSchool hasnt said what types of data were stolenNot only do we not know how many people were affected, but we also dont know how much or what types of data were accessed during the breach.In a communication shared with customers in January, seen by TechCrunch, PowerSchool said the hacker stole sensitive personal information on students and teachers, including students grades, attendance, and demographics. The companys incident page also states that stolen data may have included Social Security numbers and medical data, but says that due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base.TechCrunch has heard from multiple schools affected by the incident that all of their historical student and teacher data was compromised.One person who works at an affected school district told TechCrunch that the stolen data includes highly sensitive student data, such as information about parental access rights to their children, restraining orders, and information about when certain students need to take their medications.A source speaking with TechCrunch in February revealed that PowerSchool has provided affected schools with a SIS Self Service tool that can query and summarize PowerSchool customer data to show what data is stored in their systems. PowerSchool told affected schools, however, that the tool may not precisely reflect data that was exfiltrated at the time of the incident.Its not known if PowerSchool has its own technical means, such as logs, to determine which types of data were stolen from specific school districts.PowerSchool wont say how much it paid the hacker responsible for the breachPowerSchool told TechCrunch that the organization had taken appropriate steps to prevent the stolen data from being published. In the communication shared with customers, the company confirmed that it worked with a cyber-extortion incident response company to negotiate with the threat actors responsible for the breach.This all but confirms that PowerSchool paid a ransom to the attackers that breached its systems. However, when asked by TechCrunch, the company refused to say how much it paid, or how much the hacker demanded.We dont know what evidence PowerSchool received that the stolen data has been deletedPowerSchools Keebler told TechCrunch that the company does not anticipate the data being shared or made public and that it believes the data has been deleted without any further replication or dissemination.However, the company has repeatedly declined to say what evidence it has received to suggest that the stolen data had been deleted. Early reports said the company received video proof, but PowerSchool wouldnt confirm or deny when asked by TechCrunch.Even then, proof of deletion is by no means a guarantee that the hacker is still not in possession of the data; the U.K.s recent takedown of the LockBit ransomware gang unearthed evidence that the gang still had data belonging to victims who had paid a ransom demand.The hacker behind the data breach is not yet knownOne of the biggest unknowns about the PowerSchool cyberattack is who was responsible. The company has been in communication with the hacker but has refused to reveal their identity, if known. CyberSteward, the Canadian incident response organization that PowerSchool worked with to negotiate, did not respond to TechCrunchs questions.CrowdStrikes forensic report leaves questions unansweredFollowing PowerSchools release of its CrowdStrike forensic report in March, one person at a school affected by the breach told TechCrunch that the findings were underwhelming.The report confirmed the breach was caused by a compromised credential, but the root cause of how the compromised credential was acquired and used remains unknown.Marc Racine, chief executive of the Boston-based education technology consulting firm RootED Solutions, told TechCrunch that while the report provides some detail, there is not enough information to understand what went wrong.Its not known exactly how far back PowerSchools breach actually goesOne new detail in the CrowdStrike report is that a hacker had access to PowerSchools network between August 16, 2024, and September 17, 2024.The access was gained using the same compromised credentials used in Decembers breach, and the hacker accessed PowerSchools PowerSource, the same customer support portal compromised in December to gain access to PowerSchools school information system.CrowdStrike said, however, that there is not enough evidence to conclude this is the same threat actor responsible for Decembers breach due to insufficient logs.But the findings suggest that the hacker or multiple hackers may have had access to PowerSchools network for months before the access was detected.Do you have more information about the PowerSchool data breach? Wed love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.