PowerSchool Hack: A Massive Data Breach Impacts Millions of Students and Teachers in K-12 Districts
Education technology giant PowerSchool recently confirmed a significant cybersecurity incident resulting in the unauthorized access and theft of sensitive personal information belonging to students and teachers across numerous K-12 school districts. The breach, discovered on December 28, 2024, compromised data from the company’s PowerSchool SIS platform, impacting an estimated subset of its over 18,000 customers worldwide, supporting more than 60 million students. This PowerSchool hack highlights the vulnerability of sensitive educational data within cloud-based systems.
PowerSchool SIS System Hacked Using Compromised Credential on PowerSource
The attackers gained access to the PowerSchool SIS system through a compromised credential on PowerSource, a community-focused customer support portal. PowerSource includes a “maintenance access tool” allowing PowerSchool engineers to access customer SIS instances for support and troubleshooting. This tool, unfortunately, became the entry point for the malicious actors. The attackers exploited this access to export data from the ‘Students’ and ‘Teachers’ database tables into CSV files, which were then exfiltrated.
The stolen data primarily includes contact details such as names and addresses. However, the severity of the breach varies depending on the specific school district. In some cases, the compromised data also included Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades – a deeply concerning revelation for parents and educators alike. A PowerSchool spokesperson confirmed to BleepingComputer that customer tickets, customer credentials, and forum data were not compromised in this particular incident.
“As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024 PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource,” reads a notification.
The company emphasized that not all PowerSchool SIS customers were affected, and only a subset will need to issue notifications. The attackers used a compromised credential to access PowerSource, a community-focused customer support portal containing a maintenance access tool that allows PowerSchool engineers to access customer SIS instances. Using this tool, the attacker exported the PowerSchool SIS ‘Students’ and ‘Teachers’ database tables to a CSV file, which was then stolen.
PowerSchool’s Response to Hack and Mitigation Efforts
PowerSchool engaged third-party cybersecurity experts, including CrowdStrike, to investigate and contain the breach. In response to the incident, the company took several steps, including rotating all PowerSource customer support portal account passwords and implementing stricter password policies. Remarkably, PowerSchool confirmed in a customer-only FAQ that this was not a ransomware attack, but that they did pay a ransom to prevent data release.
“PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors. With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”
While PowerSchool received a video purportedly showing data deletion, the company acknowledges the inherent uncertainty in such situations and continues to monitor the dark web for any potential leaks. The company is offering credit monitoring services to affected adults and identity protection services for affected minors. PowerSchool asserts that its operations remain unaffected, and services continue as usual.
School district IT personnel discovered that they could detect whether their data was stolen by checking for a maintenance user named “200A0” in the ps-log-audit files. Analysis of mass-data logs can correlate audit log access with data exports. One customer reported logs showing the export of ‘Students’ and ‘Teachers’ tables on December 22, 2024, from a Ukrainian IP address. PowerSchool will provide detailed guides to help customers determine if they were impacted and what data was downloaded.
The investigation is ongoing, with CrowdStrike expected to release a final report by January 17, 2025. PowerSchool is committed to transparency and will share this report with affected school districts.
The PowerSchool Hack and its Implications for Data Security in Education
The PowerSchool hack serves as a stark reminder of the ongoing threat to sensitive data within the education sector. The incident underscores the need for robust cybersecurity measures, employee training, and multi-layered security protocols to protect the personal information of students and educators. The breach highlights the potential consequences of compromised credentials and the importance of regular security audits and vulnerability assessments. The ongoing investigation and subsequent report from CrowdStrike will be crucial in understanding the full extent of the breach and informing future security practices within the K-12 education system.
