The education technology giant, PowerSchool, recently disclosed a data breach impacting its PowerSource customer support portal. While the full extent of the breach remains unclear, the potential exposure of sensitive data belonging to K-12 students and teachers raises significant concerns. PowerSchool’s Student Information System (SIS) platform serves over 60 million students and 18,000 customers, highlighting the vast potential impact of this incident.
Initial reports indicate the compromised data may range from names and addresses to more sensitive information like Social Security numbers (SSNs), personally identifiable information (PII), grades, and medical records, depending on the specific school district. Bleeping Computer has been closely covering the developing story and providing updates on the affected districts.
PowerSchool confirmed its awareness of the incident on December 28, 2024, and subsequently notified affected customers. The company explained that unauthorized access occurred through the PowerSource portal, a community-focused customer support platform. The attackers gained entry using compromised credentials and then extracted data using an internal tool called the “export data manager,” typically utilized by PowerSchool engineers for support and troubleshooting.
The stolen data was compiled into a CSV file. PowerSchool has stated that certain data, including customer tickets, credentials, and forum data, were not compromised. Furthermore, the company asserts that not all PowerSchool SIS customer data was affected, with only a subset of customers receiving notifications of data exposure. However, the precise number of affected individuals and the full scope of the data breach remains undisclosed.
PowerSchool has taken immediate action to address the security breach. This includes changing all passwords, implementing stricter security guidelines, and engaging cybersecurity experts from CrowdStrike to manage the incident. CyberSteward, a professional advisor experienced in negotiating with threat actors, was also consulted.
While PowerSchool maintains this was not a ransomware attack, they confirmed paying a ransom to prevent the public release of the stolen data. The threat actors provided assurances, including video evidence, of the data’s deletion. However, there are inherent risks associated with trusting such assurances, leaving lingering concerns about the data’s ultimate fate.
Despite the breach, PowerSchool’s systems remain operational, and the company is offering credit monitoring services to affected adults. For individuals concerned about their school district’s involvement, Bleeping Computer’s coverage provides a guide for determining potential exposure.
This incident underscores the increasing vulnerability of sensitive data in the education sector, highlighting the critical need for robust cybersecurity measures to protect student and teacher information.
