PowerSchool data breach: Explaining how it happened

Details about the incident

On Dec. 28, 2024, PowerSchool claimed it first discovered unauthorized access to its systems. The initial attack vector according to PowerSchool was accessed via the company's community-focused customer support portal, PowerSource.

The breach allowed hackers to access the PowerSchool Student Information System (SIS), a central database containing a wealth of student and staff data.

PowerSchool didn't begin to communicate with customers about the data breach until Jan. 7, 2025.

PowerSchool hired cybersecurity vendor CrowdStrike to help investigate the alleged attack. PowerSchool paid some form of fee to the attackers to keep the data from being released. By paying these threat actors to destroy the stolen data, this incident is an extortionware event.

How did this attack happen?

The early investigation into the attack provides some clues as to how the attack happened.

Credential theft

Cyberattackers compromised or used a credential to access PowerSchool's PowerSource customer support portal. It is not yet clear how the attackers were able to compromise the credentials, though credential theft is a relatively common attack. Credentials can potentially be stolen in any number of different ways, including phishing and social engineering attacks.

Unauthorized access

The PowerSource customer support portal that the cyberattacker accessed contained a maintenance tool that allowed PowerSchool engineers to access customer SIS instances for support and troubleshooting performance issues.

Data exfiltration

Once inside the system, the attackers accessed the export data management customer support tool to extract data from the PowerSchool SIS students' and teachers' database tables.

Who was affected?

According to PowerSchool, the December 2024 security incident specifically affected a subset of institutions using PowerSchool's SIS. Schools and districts that don't use PowerSchool SIS were not impacted by this incident.

While the exact number of affected individuals remains unknown, the scale of the breach is significant, given PowerSchool's extensive user base. Given the widespread usage of PowerSchool SIS across North America, the data breach potentially impacted millions of students and teachers.

According to PowerSchool's public disclosure, the breach exposed personally identifiable information (PII) for a portion of individuals. The affected individuals fall into two main categories:

Students and families

• Select students whose information was stored in affected SIS systems.
• Family members associated with these student records.

Educators

• School staff members whose information was stored in the compromised systems.
• Personnel whose records contained PII in affected districts.

Some school districts reported that historical data was compromised, so past staff and students were also affected.

What data was stolen?

While the total volume of stolen data has not been publicly disclosed, PowerSchool has shared some types of stolen data.

Data stolen in the breach is comprised of PII for students, parents and educators including the following:

• Names.
• Addresses.
• Birth dates.
• Social Security numbers.
• Medical information.
• Academic records.

According to PowerSchool, there's no evidence that banking or credit card information was compromised.

PowerSchool will provide identity protection services for students and educators and credit monitoring services for affected adults.

Timeline of attack

While full details on the attack have not yet been publicly revealed, there are some indications and disclosures that provide insight into the timeline of the attack:

• Dec. 19-23, 2024. Suspected start of unauthorized access to PowerSchool's systems.
• Dec. 28, 2024. PowerSchool becomes aware of the potential cybersecurity incident.
• Jan. 7, 2025. PowerSchool notifies affected school districts about the data breach.
• Jan. 8, 2025. Some school districts begin notifying parents and staff about the breach.
• Jan. 13, 2025. Public disclosure of the incident on PowerSchool's website.

Who was responsible for the attack?

The full scope of the breach remains under investigation, with PowerSchool working alongside law enforcement at the FBI and security vendor CrowdStrike to uncover who was behind the attack.

The company has not publicly attributed the incident to a specific hacker or group, and many details about how the attackers initially obtained the credentials used to access the support portal remain unclear.

What is the impact of this attack?

The PowerSchool data breach has a broad impact on students, educators and educational institutions:

• Privacy concerns. The data leakage of PII puts affected individuals at risk of identity theft and fraud.
• Long-term risk. The compromise of personal data could have long-lasting effects, as data such as Social Security numbers and birth date information can be misused years into the future.
• Financial impact. Education districts and schools might need to spend money to improve cybersecurity and provide higher degrees of privacy assurance.
• Legal challenges. There could be lawsuits against PowerSchool and potentially school districts.
• Operational disruptions. While PowerSchool claims no operational disruptions, affected schools may need to implement new security measures and update data management practices and privacy controls.

Other related incidents

There is no shortage of cybersecurity events involving the education sector. In 2024, the education sector was a prime target for cybercriminals with several high-profile attacks affecting schools and universities across North America.

Here's an overview of significant education-related cyberattacks in 2024.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.