Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

PowerSchool Portal Compromised Months Before Massive Data Breach

Hackers used compromised credentials to access PowerSchool’s PowerSource portal months before the December 2024 data breach.

PowerSchool data breach

Threat actors accessed the customer support portal of education tech giant PowerSchool several months before the massive December 2024 data breach, cybersecurity firm CrowdStrike says.

In January, PowerSchool revealed that hackers had stolen personal information from its Student Information System (SIS) environments, which were accessed through the PowerSource community-focused customer support portal.

Using compromised credentials for a maintenance account, the hackers stole names, contact details, dates of birth, medical information, Social Security numbers, and other information of both students and educators.

PowerSchool has not shared information on the number of potentially impacted individuals, but multiple school districts in the US and Canada said that the attackers stole all their historical data from the SIS service and reports suggest that roughly 70 million people might be affected.

A fresh CrowdStrike report (PDF) summarizing the findings of their investigation into the incident does not clarify how many individuals had their personal information stolen, but shows that the data has not appeared on sale on the dark web.

As the Menlo Park City School District (MPCSD) pointed out in a January incident notice, it may be because PowerSchool engaged with CyberSteward to negotiate with the hackers and likely paid a ransom to ensure that the data is not leaked publicly.

Advertisement. Scroll to continue reading.

CrowdStrike’s report also confirms that the attackers used compromised credentials for a maintenance account to access PowerSchool’s SIS service through the PowerSource portal, and to steal student and educator information between December 19 and December 28.

Additionally, the report shows that the same compromised credentials were used between August 16 and September 17, 2024, to access the PowerSchool PowerSource portal, but it does not link the two intrusions.

“CrowdStrike did not find sufficient evidence to attribute this activity to the threat actor responsible for the activity in December 2024. The available SIS log data did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data,” the report reads.

CrowdStrike found no evidence of unauthorized activity in PowerSchool’s environment after December 28, of a malware infection, of system compromise, or of other PowerSchool customer IT environments being accessed or at risk of compromise.

“CrowdStrike did not identify any new or concerning findings beyond what we already shared,” PowerSchool notes in a March 7 update to its incident notice.

Related: Many Schools Report Data Breach After Retirement Services Firm Hit by Ransomware

Related: HPE Says Personal Information Stolen in 2023 Russian Hack

Related: New York Sues Insurance Giant Over Data Breaches

Related: 18,000 Organizations Impacted by NTT Com Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.