A recent cyberattack on education technology software firm PowerSchool is developing into one of the biggest breaches of the year.
Multiple companies have come forward to say their data was stolen in the hack of the company which helps schools track tens of millions of students. The attack appears to be the largest breach of American children’s personal information to date. The educational software providers supports more than 60 million students and teachers
In late December 2024, an unidentified threat actor used stolen credentials to access its PowerSchool Student Information System (SIS) platform. From there, they were able to use the “export data manager” customer support tool to exfiltrate “Students” and “Teachers” database tables to a CSV file, which was then stolen. PowerSchool SIS is used by schools to manage student records, grades, attendance, and enrollment.
Since the breach was discovered, the Folston, California- based contractor hired cybersecurity firm CrowdStrike to help investigate the breach. The firm’s initial investigation showed that PowerSchool failed to take basic precautions to protect students’ data, according to a copy exclusively obtained by NBC News and records of internal discussions. The report notes that the company was not even aware that it had been the victim of such a massive hack until December 28, several days after it happened, when the hacker contacted the company to inform them of the breach and ask for a payment.
The report also found no evidence that the hacker used malware or found a backdoor into PowerSchool’s systems. They were able to access the data by obtaining a single employee’s password.
The hack of the K-12 software provider has exposed student and teacher information around the country. It impacted every district in North Carolina, exposing the social security numbers of some students and teachers.
The information stolen in the attack included names, and postal addresses, and in some districts the threat actors also obtained Social Security numbers (SSN), personally identifiable information (PII), medical information, and grades.
PowerSchool said while this wasn’t a ransomware attack, it still paid the attackers to have the data wiped.
At least four class-action lawsuits have been filed against the company, including one in U.S. District Court of Eastern California on behalf of parent Shandrelle Okoni. The lawsuit alleges PowerSchool’s negligence affected over 60 million teachers and students and that it failed to provide timely notice, preventing affected users from protecting themselves.
