Cyber Incident Victim: PowerSchool
Date:
Dec 2024
Location:
United States of America
Summary
A cybersecurity incident involving an education software provider compromised student and teacher data through unauthorized access via stolen credentials. The breach resulted in the extraction of two database tables containing contact details, names, addresses, and—for some individuals—Social Security Numbers, medical information, and academic records. While the organization stated only a subset of its global customer base was impacted, conflicting reports suggested a potentially broader intrusion timeframe and scope, including possible exposure of internal systems. The compromised credential was deactivated, password resets enforced, and affected individuals offered identity protection services. The incident did not involve ransomware or software vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 28, 2024, PowerSchool disclosed a cybersecurity incident involving unauthorized access to its student information system through a compromised credential. The intrusion occurred between December 22 and December 28, 2024, with the attacker extracting two database tables containing contact information for families and educators, including names and addresses. For a subset of customers, the stolen data also included Social Security Numbers, medical information, grade details, and other personally identifiable information. PowerSchool confirmed its cloud-based platform serves over 18,000 customers globally, managing data for more than 60 million K-12 students and teachers across the United States and Canada. The company stated the attack did not involve ransomware or software vulnerabilities but was a network penetration facilitated by stolen credentials. Impacted organizations included the Toronto District School Board, which notified its community about the breach. PowerSchool took approximately two weeks to alert customers, prompting criticism from a school CTO who cited potential violations of data privacy agreements and federal/state student privacy laws.
In response, PowerSchool deactivated the compromised credential, reset all passwords for its PowerSource customer support portal, and restricted access to the affected systems. The company engaged an independent security firm to audit its infrastructure and assess the breach's scope, maintaining that only a subset of customers would require formal notifications. PowerSchool asserted the stolen data was likely deleted without further dissemination and offered free credit monitoring for affected adults and identity protection services for minors. Cybersecurity firm Cyble contested the timeline, reporting evidence that the intrusion may have begun as early as June 16, 2011, and persisted until January 2, 2025, with data-stealing malware targeting PowerSchool employees or users. Cyble identified potential compromises in critical systems including Oracle Netsuite ERP, UltiPro HR software, Zoom, Slack, Jira, GitLab, and credentials for Microsoft Azure, LogMeIn, and BeyondTrust, though BeyondTrust denied unauthorized access to its platforms. PowerSchool did not publicly address Cyble’s findings at the time of reporting.