PowerSchool hack exposes student, teacher data from K-12 districts
10 mins read

PowerSchool hack exposes student, teacher data from K-12 districts

geekfeed0Tagged , , , , , ,

School districts known to be impacted by the PowerSchool breach are listed the bottom of the article.

Education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.

PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that supports over 60 million students and over 18,000 customers worldwide. The company offers a full range of services to help school districts operate, including platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.

While the company’s products are mostly known by school districts and their staff, PowerSchool also operates Naviance, a platform used by many K-12 districts in the US to offer personalized college, career, and life readiness planning tools to students.

Targeted in data-theft attacks

In a cybersecurity incident notification sent to customers Tuesday afternoon and obtained by GeekFeed, PowerSchool says they first became aware of the breach on December 28, 2024, after PowerSchool SIS customer information was stolen through its PowerSource customer support platform.

PowerSchool SIS is a student information system (SIS) used to manage student records, grades, attendance, enrollment, and more.

“As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024 PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource,” reads a notification shared with GeekFeed.

After investigating the incident, it was determined that the threat actor gained access to the portal using compromised credentials and stole data using an “export data manager” customer support tool.

“The unauthorized party was able to use a compromised credential  to access one of our community-focused customer support portals called PowerSource,” PowerSchool told GeekFeed in a statement.

“PowerSource contains a maintenance access tool that allows PowerSchool  engineers to access Customer SIS instances for ongoing support and to troubleshoot performance issues.”

Using this tool, the attacker exported the PowerSchool SIS ‘Students’ and ‘Teachers’ database tables to a CSV file, which was then stolen.

PowerSchool has confirmed that the stolen data primarily contains contact details such as names and addresses. However, for some districts, it could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades.

A PowerSchool spokesperson told GeekFeed that customer tickets, customer credentials, or forum data were not exposed or exfiltrated in the breach.

The company also stressed that not all PowerSchool SIS customers were impacted and that they anticipate only a subset of customers will have to issue notifications.

In response to the incident, the company engaged with third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the incident.

This includes rotating the passwords for all PowerSource customer support portal accounts and implementing tighter password policies.

In an unusually transparent FAQ only accessible to customers, PowerSchool also confirmed that this was not a ransomware attack but that they did pay a ransom to prevent the data from being released.

“PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors,” reads an FAQ seen by GeekFeed.

“With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”

When asked how much was paid to the threat actors, GeekFeed was told, “Given the sensitive nature of our investigation, we are unable to provide information on certain specifics.”

While the company said they received a video showing that the data was deleted, as with all data extortion attacks, there is never a hundred percent guarantee that it was.

The company is now continuously monitoring the dark web to determine if the data has been leaked or will be leaked in the future.

For those impacted, PowerSchool is offering credit monitoring services to impacted adults and identity protection services for impacted minors.

PowerSchool says its operations remain unaffected, and services continue as usual despite the breach. 

The company is now notifying impacted school districts and will be providing a communications package that includes outreach emails, talking points, and FAQs to help inform teachers and families about the incident.

If you have first-hand information or were behind the PowerSchool attack, we would like to speak to you.

Determining if your school district is impacted

GeekFeed has learned that PowerSchool will soon provide detailed guides for customers to check if they were impacted and determine what data was stolen.

In the meantime, a Reddit thread about the incident contains valuable information from IT personnel whose school districts were impacted, explaining how to detect whether data was stolen from their PowerSchool SIS database.

Customers can first check if a maintenance user named “200A0” is listed in the ps-log-audit files. This maintenance user is linked to the PowerSource “export data manager” customer support tool that the threat actor used to exfiltrate data.

“You can correlate audit log access with mass-data exports by time in the mass-data logs,” advised a PowerSchool SIS customer.

detailed guide written by Romy Backus, SIS Specialist at the American School of Dubai, explains how to check the PowerSchool SIS logs to determine if data was stolen.

This guide and other reports indicate that data was first stolen on December 22, 2024, from IP address 91.218.50.11. This IP address belongs to a website and virtual hosting company in Ukraine.

Logs showing data exfiltration by the attacker at the 91.218.50.11 ip address
Logs showing data exfiltration by the attacker at the 91.218.50.11 ip address

The guide explains how to check what data fields may have been stolen from the “Students” and “Teachers” database tables, which include a lot of sensitive information.

While PowerSchool says that not all of these fields may be populated by data, the stolen data could include sensitive information for minors, such as names, addresses, phone numbers, Social Security Numbers, grade point averages, bus stops, passwords, notes, alerts, student IDs, parent information, and medical information.

For teachers, the data could include their names, addresses, phone numbers, Social Security Numbers, and passwords.

The investigation is ongoing, with cybersecurity firm CrowdStrike expected to release a finalized report by January 17, 2025.

PowerSchool says they are committed to transparency and will share the report with affected school districts when it is ready.

Impacted school districts

After the security incident was disclosed by PowerSchool, school districts have begun notifying parents and students about the breach today.

Below is a list of school districts that our readers say were imapcted by the PowerSchool breach:

* Residents of these school districts have shared emails stating they were impacted. If you have a formal link or email to a disclosure, please share it.

If you know of other impacted districts, please let us know via email at admin@geekfeed.net or through our tip form.

Leave a Reply

Your email address will not be published. Required fields are marked *

Website https://geekfeed.net

Related Posts