In Brief

Cybercriminals are targeting industries such as healthcare, insurance, automotive, and education, with PowerSchool being the most recent to experience record thefts involving millions of students and teachers. (1)
The scope of the breach is serious, notwithstanding the fact that the exact number of affected persons remains unknown.

Who is PowerSchool and how the attacker targets?

PowerSchool is a renowned North American cloud-based software supplier, wants to transform education by supporting personalized learning for all students globally, developing a sense of personal connection to learning. PowerSchool aims to personalize the educational experience for every student by supporting every step of the learning journey, connecting information educators to understand their unique needs, and combining K-12 educational and operational technology to create an experience tailored to each student’s unique needs. PowerSchool serves over 16,000 customers in over 90 countries. (2)

PowerSchool reported a cybersecurity breach on January 7th 2025, discovered on December 28th 2024, after customer data from its PowerSchool SIS platform was stolen via the PowerSource support portal. The hackers gained access to the PowerSchool SIS, a student information system, by utilizing stolen credentials and a “export data manager” application. The company disclosed a network compromise rather than a ransomware attack or software defect, and it has recruited a third-party cybersecurity firm to investigate and identify those affected. (1)

Data Stolen Uncertainty

The attacker used a feature of the PowerSource portal that allows PowerSchool engineers to visit customer systems for support and troubleshooting to export database tables to a CSV format. However, PowerSchool confirmed that the stolen data contains contact information’s, but it may also include sensitive information such as Social Security numbers, medical records, and grades in some districts.

PowerSchool verified that no customer support tickets, credentials, or forum data were accessed or taken during the incident, and it aims to notify only a fraction of affected customers. (1) The developer informed customers that;

 “We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,”

“We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.”

PowerSchool has announced that impacted adults would receive free credit monitoring, while minors will receive memberships to an undisclosed identity protection program.

Call to Action

The PowerSchool data breach underscores the need for constant personal information security, recommending crucial steps to safeguard your data:

  1. Monitor your account regularly – your personal information, including bank accounts, credit cards, and online services, for unauthorized transactions or changes that could indicate data misuse.
  2. Freeze your credit – consider placing a credit freeze with major credit bureaus like Equifax, Experian, and TransUnion to prevent identity thieves from opening new accounts.
  3. Use identity theft protection services
  4. Enable two-factor authentication (2FA) – for online accounts to enhance security by requiring a second form of verification, like a text code or app-generated token.
  5. Be aware of phishing links and use strong antivirus software – avoid clicking on suspicious links in emails or text messages and install antivirus software on all your devices is the most effective way to protect yourself from malicious links.(1)

Lesson learnt

I believe PowerSchool is responsible for failing to appropriately protect sensitive data, and their school system has been hacked, potentially breaking data privacy agreements and laws. The company took over two weeks to tell customers about the vulnerability, exposing students, parents, and teachers to cyberattacks.

I also agree with the concerns that companies like PowerSchool should be subject to stricter regulations when dealing with sensitive data because education data is a sensitive and personal collection of academic information, health records, behavioral data, and family history. There are several reasons why stricter regulations are necessary:

  1. The growing number of cybersecurity threats raises serious privacy concerns, prompting the implementation of strong security measures by PowerSchool to protect sensitive student data from potential breaches.
  2. Stricter restrictions comply with existing European legislation such as FERPA and GDPR, but also include updated recommendations to handle modern tech and data threats in education.
  3. Clearer regulations can improve transparency and confidence among schools, parents, and educational technology businesses by outlining data processing, access, and purposes.
  4. Stricter regulations would ensure that PowerSchool are held accountable for how they collect, store, and share student data. It would create clear legal obligations to ensure that data is only used for its intended purpose and not misused or sold to third parties.
  5. Stricter regulations might provide a consistent standard for how student data is handled across different companies and platforms, minimizing disparities in data protection procedures.

References:

[1] PowerSchool data breach exposes millions of students and teacher records. (12. Jan.2025). Retrieved from https://www.foxnews.com/tech/powerschool-data-breach-exposes-millions-student-teacher-records
]2] About PowerSchool (n.d). Retrieved from https://www.powerschool.com/company/
]3] Protecting Student Privacy.FERPA (n.d). Retrieved from https://studentprivacy.ed.gov/ferpa

]4] Personal Data.GDPR (n.d). Retrieved from https://gdpr-info.eu/issues/personal-data/

Join the Conversation

12 Comments

  1. Great article, John. I completely agree that stricter regulations and transparency are essential in protecting sensitive data. This accountability is crucial for protecting sensitive information and maintaining the trust.
    Thank you for highlighting key lessons here.

    1. It freaks me out that they didn’t have 2FA in place, simple credential compromises shouldn’t grant attackers access. Organizations need to realize it’s not a matter of if they’ll be compromised, but when.

  2. As a parent, it’s incredibly concerning to hear about the PowerSchool data breach. Our children’s personal and academic information should be protected with the utmost care, and it’s unsettling to know that a company responsible for this data could be vulnerable to cyberattacks. I’m worried about the long-term impact this could have on our kids’ privacy and safety. I hope PowerSchool is taking all necessary steps to secure their systems and prevent future breaches. It’s also a reminder of how important it is for schools to prioritize cybersecurity when choosing platforms to manage sensitive student information.

  3. Maria, I absolutely understand your concerns, and it is very reasonable to be concerned when personal and academic data especially that of children is exposed in any way. PowerSchool data breaches are critical, which is why companies and institutions must establish effective cybersecurity measures to protect sensitive information. I believe that schools must exercise prudence when choosing platforms to hold and handle this type of data. However, as parents, we must continue to fight for transparency, accountability, and strict security requirements from these companies.

  4. Thank you for the detailed write-up, John. The PowerSchool breach serves as a reminder of how vulnerable sensitive educational data can be. I appreciate how you highlighted the mechanisms of the attack, especially the misuse of the export data manager and the stolen credentials. The recommendations you gave for protecting personal information are practical and relevant, especially the emphasis on credit freezes and identity theft protection practices. It would be great to explore further whether stricter international regulations, like GDPR, could be adapted to better safeguard educational data globally.

  5. Thank you for bringing up this topic, John. When I came across this news, I felt as though something closely related to my child had been violated. However, I still haven’t received any notice or message from the relevant authorities as a parent. Implementing strict cybersecurity measures is the most effective way to reduce such incidents. Please recall a similar situation I published in this blog during the back-to-school season last year.
    https://wpsites.ucalgary.ca/jacobson-cpsc/2024/09/12/schools-are-facing-security-breaches-in-the-beginning-of-new-session/

  6. Hi John, this is a very well thought out and articulated post! The fact that such data breaches are occurring so often and targeted towards vulnerable populations brings up various concerns for parents, students, and teachers involved. I found it quite interesting that hackers gained access to this information by utilizing stolen credentials and a “export data manager” application. This highlights the importance of cybersecurity education at schools, especially with younger students who plainly misplace their passwords. The consequence of using one singular credential had resulted in the compromise of over 16,000 customers in over 90 countries. As we move forward, it remains crucial to establish effective cybersecurity measures that ensure high protection of sensitive information to avoid such data breaches to occur in the future.

  7. Thank you John for this great post!
    Its powerschool today, it could be any other company tomorrow irrespective of size! Cybersecurity is not a matter of if, rather when! If only we can learn from
    cyber attacks happening around the world, I believe most organizations would be proactive in building a robust security across systems and networks that would make it difficult for attackers to penetrate into their systems and networks! I hope we win this fight against cyber threats some day.

  8. John, thank you for this post and for enabling discussion about a sector that is often overlooked when it comes to cybersecurity measures. Educational institutions, much like healthcare organizations, are lucrative targets for threat actors, as many operate with outdated security systems and insufficient safeguards. The student community particularly remains one of the most undertrained groups in cybersecurity measures, making them an easy target for credential theft with minimal effort from attackers. While PowerSchool’s response includes remediation steps, this incident highlights the pressing need for stronger cybersecurity frameworks, continuous monitoring, and a proactive approach to threat detection. Organizations handling sensitive student and teacher data must foster a culture of cybersecurity awareness at all levels. It is also crucial for parents and educators to stay informed and actively advocate for stronger data protection of personal information.

  9. Great post John!

    This significant issue highlights the urgent need for educational technology companies to enhance their efforts in safeguarding student information. Timely communication about any breaches is crucial. Additionally, there may be a need for updated government regulations to better protect students. It is also essential for schools, educators, and students to receive proper training on online safety practices.

  10. Great post John. This post highlights the critical importance of data security in education, especially when it involves sensitive personal and academic information. The PowerSchool breach serves as a wake-up call for the education sector to adopt stronger cybersecurity measures, given the severity of potential consequences for students, parents, and educators alike. Robust safeguards, and compliance with frameworks like GDPR should be the minimum baseline, not just an aspiration.

  11. Really informative post. Great job breaking down all the information about this power school attack and some ways to protect yourself from similar attacks. What I find interesting about this attack is that the hackers got access by a user’s credentials. Which to me means that this user reused passwords for multiple accounts and the password was breached or they feel for some form of a phishing attack. This tells me other than what you suggested for counter measures is that PowerSchool should implement better cybersecurity training and awareness programs. Having better training programs could’ve helped have this user not reuse a password or fall for the phishing attack, preventing the hack.

Leave a comment

Powered by UCalgary

The views, information, or opinions expressed on this site are solely those of the individual(s) involved and do not necessarily represent the position of the University of Calgary as an institution.

Website Terms & Conditions | Privacy Policy | Copyright © 2024