PowerSchool
PowerSchool, a leading provider of cloud-based software solutions for K-12 schools, has confirmed a cybersecurity breach that enabled a threat actor to steal personal information belonging to students and teachers. The incident targeted school districts using the company’s PowerSchool SIS platform.
Serving over 60 million students and 18,000 customers globally, PowerSchool plays a critical role in supporting K-12 schools with a wide range of services. These include platforms for enrollment, communication, attendance tracking, staff management, learning systems, analytics, and financial operations.
In addition to its well-known software solutions for school districts, PowerSchool operates Naviance, a popular platform in the U.S. that helps K-12 students with personalized planning for college, careers, and life readiness.
Targeted in data-theft attacks
PowerSchool informed its customers on Tuesday about a recent cybersecurity breach, revealing that attackers exploited its PowerSource customer support platform to steal sensitive data. The company discovered the breach on December 28, 2024, when it confirmed unauthorized access to PowerSchool SIS customer information.
PowerSchool SIS, a widely used student information system, manages critical data like student records, grades, attendance, and enrollment. According to a customer notification obtained by BleepingComputer, the attackers used compromised credentials to access the PowerSource portal. From there, they leveraged an “export data manager” tool to extract the ‘Students’ and ‘Teachers’ database tables, ultimately stealing the data in a CSV format.
The stolen data primarily includes contact information such as names and addresses. However, for some districts, the breach extended to Social Security numbers (SSNs), personally identifiable information (PII), medical records, and grades. A PowerSchool spokesperson stated that the breach did not expose customer tickets, credentials, or forum data. The company also emphasized that the incident impacted only a subset of PowerSchool SIS customers, requiring notifications to stakeholders from affected districts.
In response to the breach, PowerSchool enlisted the help of third-party cybersecurity experts, including CrowdStrike, to investigate and bolster security. Immediate actions included resetting all PowerSource account passwords and strengthening password policies.
In a customer-only FAQ, PowerSchool clarified that the incident was not a ransomware attack but acknowledged paying a ransom to stop the release of stolen data. The company worked with CyberSteward, a professional advisor who negotiates with threat actors, and confirmed “reasonable assurances” that the data was deleted. While a video allegedly showing the deletion was provided, PowerSchool acknowledged the inherent uncertainty in such situations.
To mitigate risks, the company is actively monitoring the dark web for any signs of data leaks. For affected individuals, PowerSchool is offering credit monitoring services for adults and identity protection services for minors.
PowerSchool emphasized that its operations remain Unaffected, and services are continuing without Disruption. The company is now working closely with impacted school districts, providing communications packages that include Outreach emails, talking points, and FAQs to assist in Notifying teachers and families.
Determining if your impacted
In a Reddit discussion about the PowerSchool incident, IT personnel from school districts shared insights on how customers can determine if their data was Compromised. According to one user, customers should check the ps-log-audit files for a maintenance user labeled “200A0.”
“You can correlate audit log access with mass-data exports by reviewing timestamps in the mass-data logs,” advised a PowerSchool SIS customer.
Another user confirmed that their logs showed the Students and Teachers tables were Exported on December 22, 2024. “Oh great, I have logs from 12/22 for Students_export.csv and Teachers_export.csv from a Ukrainian IP address,” they stated.
To assist customers further, PowerSchool is preparing detailed guides to help them identify whether they were impacted and Pinpoint the data that was Downloaded.
Ongoing Investigation and Transparency
The investigation, led by Cybersecurity firm CrowdStrike, is still Underway. A Finalized report is expected by January 17, 2025. PowerSchool has Emphasized its commitment to Transparency and plans to share the findings with affected school districts as soon as the report is ready.
Update 1/7/25: A typo in earlier communications, which Incorrectly suggested that customer Credentials, tickets, and the forum database were Exfiltrated, has been corrected.
Source: BleepingComputer, Lawrence Abrams
