PowerSchool hack exposes student, teacher data from K-12 districts

Education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.

PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that supports over 60 million students and over 18,000 customers worldwide. The company offers a full range of services to help school districts operate, including platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.

While the company’s products are mostly known by school districts and their staff, PowerSchool also operates Naviance, a platform used by many K-12 districts in the US to offer personalized college, career, and life readiness planning tools to students.

Targeted in data-theft attacks

In a cybersecurity incident notification sent to customers Tuesday afternoon and obtained by BleepingComputer, PowerSchool says they first became aware of the breach on December 28, 2024, after PowerSchool SIS customer information was stolen through its PowerSource customer support platform.

PowerSchool SIS is a student information system (SIS) used to manage student records, grades, attendance, enrollment, and more.

“As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024 PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource,” reads a notification shared with BleepingComputer.

After investigating the incident, it was determined that the threat actor gained access to the portal using compromised credentials and stole data using an “export data manager” customer support tool.

“The unauthorized party was able to use a compromised credential  to access one of our community-focused customer support portals called PowerSource,” PowerSchool told BleepingComputer in a statement.

“PowerSource contains a maintenance access tool that allows PowerSchool  engineers to access Customer SIS instances for ongoing support and to troubleshoot performance issues.”

Using this tool, the attacker exported the PowerSchool SIS ‘Students’ and ‘Teachers’ database tables to a CSV file, which was then stolen.

PowerSchool has confirmed that the stolen data primarily contains contact details such as names and addresses. However, for some districts, it could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades.

A PowerSchool spokesperson told BleepingComputer that customer tickets, customer credentials, or forum data were exposed or exfiltrated in the breach.

The company also stressed that not all PowerSchool SIS customers were impacted and that they anticipate only a subset of customers will have to issue notifications.

In response to the incident, the company engaged with third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the incident.

This includes rotating the passwords for all PowerSource customer support portal accounts and implementing tighter password policies.

In an unusually transparent FAQ only accessible to customers, PowerSchool also confirmed that this was not a ransomware attack but that they paid a ransom to prevent the data from being released.

“PowerSchool engaged the services of CyberSteward, a professional advisor with deep experience in negotiating with threat actors,” reads an FAQ seen by BleepingComputer.

“With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.”

When asked how much was paid to the threat actors, BleepingComputer was told, “Given the sensitive nature of our investigation, we are unable to provide information on certain specifics.”

While the company said they received a video showing that the data was deleted, as with all data extortion attacks, there is never a hundred percent guarantee that it was.

The company is now continuously monitoring the dark web to determine if the data has been leaked or will be leaked in the future.

For those impacted, PowerSchool is offering credit monitoring services to impacted adults and identity protection services for impacted minors.

PowerSchool says its operations remain unaffected, and services continue as usual despite the breach. 

The company is now notifying impacted school districts and will be providing a communications package that includes outreach emails, talking points, and FAQs to help inform teachers and families about the incident.

Determining if your impacted

In a Reddit thread about the incident, school district IT personnel said that customers can detect whether data was stolen by checking if a maintenance user named “200A0” is listed in the ps-log-audit files.

“You can correlate audit log access with mass-data exports by time in the mass-data logs,” advised a PowerSchool SIS customer.

Another customer shared that their logs showed the Students and Teachers tables being exported on December 22, 2024.

“Oh great, I have logs from 12/22 for Students_export.csv and Teachers_export.csv from a Ukrainian IP address,” stated another customer.

BleepingComputer has learned that the company will also provide detailed guides for customers to check if they were impacted and determine what was downloaded.

The investigation is ongoing, with cybersecurity firm CrowdStrike expected to release a finalized report by January 17, 2025.

PowerSchool says they are committed to transparency and will share the report with affected school districts when it is ready.