PowerSchool Exposed-🔥-Children at Risk at School

Show Notes

🚨New Episode 🚨We dive into PowerSchool Exposed-- Children at Risk at School, about the significant cybersecurity breach at PowerSchool, which exposed sensitive data of millions of students and teachers. It emphasizes the importance of transparency, accountability, and robust cybersecurity measures in protecting sensitive information.

Takeaways

• Cybercriminals buy and sell children's identities on the dark web.
• The Power School breach exposed millions of sensitive records.
• Third-party vendor risks are a growing concern for organizations.
• A single compromised credential can lead to massive data breaches.
• Power School's lack of multi-factor authentication contributed to the breach.
• The breach affected 62 million students and 9.5 million teachers.
• Power School engaged CrowdStrike to investigate the breach.
• Transparency and accountability are crucial in handling data breaches.
• Organizations must implement robust cybersecurity measures.
• The future of cybersecurity in education requires vigilance and proactive strategies.

Chapters

• 00:00  The Wake-Up Call: Cybersecurity in Education
• 03:07.  The Power School Data Breach: A Deep Dive
• 06:02.  The Mechanics of the Breach: How It Happened
• 08:48.  The Fallout: Data Exposed and Consequences
• 12:12.    Lessons Learned: What Organizations Must Do
• 15:07.   The Role of Transparency and Accountability
• 17:59.   Future Implications: Cybersecurity in Education
• 20:49.  Conclusion: The Path Forward

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Transcript

PowerSchool Exposed-🔥-Children at Risk at School

🚨New Episode 🚨We dive into PowerSchool Exposed-- Children at Risk at School, about the significant cybersecurity breach at PowerSchool, which exposed sensitive data of millions of students and teachers. It emphasizes the importance of transparency, accountability, and robust cybersecurity measures in protecting sensitive information.

 

 

Takeaways

·       Cybercriminals buy and sell children's identities on the dark web.

·       The Power School breach exposed millions of sensitive records.

·       Third-party vendor risks are a growing concern for organizations.

·       A single compromised credential can lead to massive data breaches.

·       Power School's lack of multi-factor authentication contributed to the breach.

·       The breach affected 62 million students and 9.5 million teachers.

·       Power School engaged CrowdStrike to investigate the breach.

·       Transparency and accountability are crucial in handling data breaches.

·       Organizations must implement robust cybersecurity measures.

·       The future of cybersecurity in education requires vigilance and proactive strategies.

 

Chapters

·       00:00  The Wake-Up Call: Cybersecurity in Education

·       03:07.  The Power School Data Breach: A Deep Dive

·       06:02.  The Mechanics of the Breach: How It Happened

·       08:48.  The Fallout: Data Exposed and Consequences

·       12:12.    Lessons Learned: What Organizations Must Do

·       15:07.   The Role of Transparency and Accountability

·       17:59.   Future Implications: Cybersecurity in Education

·       20:49.  Conclusion: The Path Forward

Topics covered: 

PowerSchool data breach, children at risk at school, why schools fail at security, school security puts kids at risk, school cyber security puts kids at risk, compromised credentials attack, PowerSchool security breach, PowerSchool PowerSource hack, K-12 data breach investigation, student information system breach, powerschool breach 2025, cybersecurity in education, dark web leaked credentials, PowerSchool maintenance tool exploit, breach of sensitive student data, PowerSchool MFA failure, threat detection SIEM PowerSchool, CrowdStrike investigation PowerSchool, PowerSchool breach timeline, protecting school data from cyberattacks

Speaker 2 (00:00.108)
What if your child's most private data, grades, health records, even behavior notes, were suddenly in the hands of cybercriminals? And what if the same cracks in the system that caused it are hiding in your own organization right now? Did you know that because most parents do not freeze their child's credit, that cybercriminals buy and sell children's identities on the dark web every single day and use those stolen IDs to rack up massive debt in your kid's name? So when they mature into young adults, they will have large unpaid health care bills, credit card debt, foreclosed homes,

and other things leading to bankruptcy. I wish I was kidding, but after I heard Dean and his team at NetGain Technologies have been involved in handling cybersecurity incidents, protecting small and mid-sized organizations from cybercrime, and he explained, they have spoken to more than 75 different families that this has happened to in the last couple years. This episode hits hard. So if you want to learn about what you can do to protect yourself, then listen on. Hey everyone, welcome back to Cybercrime Junkies. I'm Kylie J.

where we expose the threats that hide in plain sight and explain cybersecurity in simple terms we all can understand. After all, simplicity is the greatest form of sophistication. Today, we're diving into one of the biggest wake-up calls for business leaders and SMB owners, the Power School Data Breach, a cyber incident that didn't just disrupt classrooms. It exposed millions of records and shook the foundation of digital trust in our schools. But here's the twist. This breach isn't just about education. It's a mirror reflecting what could happen inside any organization.

Yours included, if the right protections aren't in place. So stick with me until the end, because we're breaking down the five game-changing lessons every leader needs to know. From silent vendor threats and forgotten backups to the one security tool that could have stopped this breach cold. Let's get into it.

Did you know that a single set of compromised credentials could expose the personal data of over 60 million students and teachers? Ever notice how major data breaches occur over the holidays, like Christmas break or Thanksgiving? How could a lack of basic multi-factor authentication and SIM security information and event management or other standard real-time threat detection allow hackers to breach one of the nation's largest school information systems? This breach is huge.

Speaker 1 (02:12.206)
It's bigger than people imagine. It illustrates the critical dangers of vendor and third party risk. We uncovered local media coverage from school leaders who are acknowledging the incident and coverage about how others are being silent on it. This is a difficult set of events to navigate. Think about it. Was the school district hacked? No, but the reality is that their most sensitive student data was stolen and whose fault? Well, obviously many will say it's power school, but also consider the fact

that the school district is the one who chose and utilized the vendor. Students and parents and teachers got compromised all at the hands of the districts and the software vendor they were in bed with. Third party risk is becoming more and more common. And in many ways is just a matter of time before other leaders face this dilemma if they haven't already. We're only a few months into 2025, but the recent hack of US tech giant Power School is on track to be one of the

biggest education data breaches in recent years. PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students across North America, first disclosed the data breach in early January, 2025. Once owned by Apple, sold in early 2000s by Apple, PowerSchool was publicly traded and had Vista Equity partners as investors. In October, 2024, Bain Capital,

a global investment firm bought Power School for $5.6 billion and took them private. The California-based company said an unknown hacker used a single compromised credential to breach its customer support portal in December 2024, allowing further access to the company's school information system, Power School SIS, which schools use to manage student records, grades, attendance, and enrollment. In early March, Power School published its data breach postmortem

as prepared by CrowdStrike two months after Power School customers were told it would be released. While many of the details in the report were known, CrowdStrike confirmed that a hacker had accessed it to Power School's systems as early as August 2024. Here's what we have found about the Power School breach timeline. Here are the main events and how it unraveled. Before August 2024, multiple investigations indicate that the credential

Speaker 1 (04:33.678)
used to access PowerSchool's PowerSource customer support portal had been available on the dark web for a considerable time before the December 2024 incident. This suggests that the credential was compromised in an earlier breach or via phishing and then leaked online. The result, prior credentials of PowerSchool user leaked online. Predating this was a prior breach or phishing. PW reuse is approximate cause.

Once inside PowerSource, the attackers exploited a maintenance tool designed for PowerSchool engineers, allowing them to access customer student information system for SIS instances. This access facilitated the extraction of data from student and teacher database tables. August 16th, 2024, initial unauthorized access occurred, undetected by PowerSchool. September 17th, 2024, second unauthorized access occurred.

undetected by PowerSchool. Oh, all were months before the breach was detected. Between December 19th, 2024, at 23.02.54 UTC and December 23rd, 2024, at 08.0445 UTC, the threat actor exfiltrated data from the teachers and students tables of the PowerSchool SIS instances for certain PowerSchool customers. December 28th, 2024.

On December 28th, 2024, Power School identified suspicious activity using credentials belonging to a support user, compromised support credentials in their Power School student information system, SIS. On December the 29th, 2024, CrowdStrike Services, CrowdStrike, was engaged to provide investigative services and to assess the scope and extent of unauthorized third-party threat actor activity in the Power School environment.

CrowdStrike's investigation began on December 29th, 2024 and concluded on February 17th, 2025. What CrowdStrike did starting December 29th, 2024, deactivating the compromised credential, enforcing password resets, restricting access to and tightening password and access controls for the affected customer support portal.

Speaker 1 (06:55.47)
Requiring that access to the power source environment be via company's VPN, which requires single sign-on and multi-factor authentication. Power School began communicating with customers about the data breach on January 7th, 2025. The breach affected approximately 62 million students and 9.5 million teachers, exposing sensitive information such as special education status, mental health details, and disciplinary.

Records in response, Power School engaged cybersecurity firm CrowdStrike to investigate the incident and has been cooperating with affected school districts. December slash January, Power School paid some form of fee to the attackers to keep the data from being released, which indicates this was an extortion where even. it still remains unknown whether compromise actually occurred prior to August since logs are not available for CrowdStrike to analyze. So we don't know.

CrowdStrike's forensic report found unauthorized activity at the Schology Maker dating back to at least August 2024, with hackers later using the same compromised credentials in the December breach. School district litigation now looms and over 30 class action lawsuits have been filed, with many citing priceless Pilford highly sensitive student and teacher data. March 10th, 2025, CrowdStrike releases their findings and threat report dated February 28th, 2025.

They showed the IP that exfiltrated the data was from Moscow, Russia. This leaves all of us with open questions like, Power School hasn't said how many students or staff are affected. Power School hasn't said what types of data were stolen. Power School won't say how much it paid the hacker responsible for the breach. we don't know what evidence Power School received that the stolen data has been deleted.

So the hacker behind the data breach is not yet known. it's not known exactly how far back Power School's breach actually goes. When looking at this breach as a whole, we have a few conclusions many in the industry have summed up. Number one, not a ransomware attack, but they did pay a ransom more than a mere failure in protecting data. Second, Power School failed to correctly mange role-based access control.

Speaker 1 (09:18.432)
access to a common tool that the hackers access all schools data should have limited school a to have access only to school a not all schools power school lacked basic security role based access control three no multi-factor authentication the breached power source portal did not support multi-factor authentication at the time of the incident a huge error fourth power school violated principle of least

privilege. The fact that stolen credentials granted access to a wide range of data suggests this might have been a company-level credential breach. Such credentials often have broad privilege access for maintenance or support, which, when exploited, can be devastating big time. This points to a lack of proper segregation of duties and principle of least privilege. Power School didn't even know this happened until the threat actor reached out to them six days later asking for money.

shows the lack of real-time detection and threat hunting, should have been active and effective. So let's get into what happened. The recent Power School data breach, which came to light on December the 28th, 2024, involved unauthorized access to sensitive student and staff information. The breach was initiated through compromised credentials used to access Power Source, Power School's customer support portal.

While the exact method of credential compromise remains unclear, common techniques include phishing and password reuse, making the credentials available for sale on the dark web. The attackers simply logged into the power source portal using that valid credential and exploited an administrative tool to exfiltrate sensitive data. This method bypassed many conventional network defenses because it relied on legitimate authentication rather than exploiting a system vulnerability. Leaked on the dark web.

Multiple investigations indicate that the credential used to access PowerSchool's PowerSource customer support portal had been available on the dark web for a considerable time before the December, 2024 incident. This suggests that the credential was compromised in an earlier breach or via phishing and then leaked online. Repeated unauthorized access. Some reports reveal that the same support accounts credentials were used in earlier incidents.

Speaker 1 (11:42.474)
notably in August and September 2024, which implies that once the credential was compromised, it continued to be exploited over several months. These findings underscore the importance of robust password hygiene, regular dark web monitoring, and multi-factor authentication to mitigate such risks. Once inside PowerSource, the attackers exploited a maintenance tool designed for PowerSchool engineers allowing them to access customer student information system SIS instances.

This access facilitated the extraction of data from student and teacher database tables. Investigations revealed that the initial unauthorized access occurred between August 16th and September 17th, 2024, months before the breach was detected. The breach affected approximately 62 million students and 9.5 million teachers, exposing sensitive information such as special education status, mental health details, and disciplinary records. In response,

Power School engaged cybersecurity firm CrowdStrike to investigate the incident and has been cooperating with affected school districts to mitigate the impact. What data was stolen in the Power School breach? The Power School breach exposed a ton of data, which includes all of the following. Special education status and student special ed development plans and diagnoses. Mental health data.

Parental and student legal proceedings and otherwise sealed information, including custody agreements, restraining orders, and other legal information. Medical records, SSS numbers, home addresses, home and cell phone numbers, full names of students, parents, and teachers, physical addresses, contact information, and social security numbers of students, parents, and teachers, the medical and mental health data, including not only allergy information,

but mental health information, including conditions related to anxiety, depression, and suicidal ideation or treatments, testing records and student grades, a medical alert field inside power school containing health information. Parents wanted their students' schools to be aware of. When asked why it had not listed special education status, custody agreements, and disciplinary notes in its original notice about the types of information exposed,

Speaker 1 (14:08.352)
A power school spokesperson said those fields are not created by power school and were customized add-ons put in place by schools. Adam Larson, an assistant superintendent at an Illinois school district who also works as a data consultant for schools said a handful of his school district clients had sensitive student mental health and special education data exposed. This power school breach means that private data of 60 plus million students, teachers, and adults

is now exposed. Power School has published a long-awaited CrowdStrike investigation into its massive December 2024 data breach, which determined that the company was previously hacked over four months earlier in August, and then again in September. Power School is a cloud-based K-12 software provider serving over 60 million students and 18,000 customers worldwide, offering enrollment, communication, attendance, staff management, learning, analytic CrowdStrike, and finance solutions.

In December, the company announced that hackers had gained unauthorized access to its customer support portal named PowerSource. This portal included a remote maintenance tool that allowed the threat actor to connect to customers databases and steal sensitive information, including full names, physical addresses, contact information, social security numbers, SSNs, medical data and grades. Although the company has not officially disclosed the number of people impacted by this incident, Bleeping Computer,

first reported that the threat actor claimed to have stolen the data of 72 million people, including students and teachers. CrowdStrike confirms that the threat actors breached PowerSchool through PowerSource using compromised credentials and maintained their access between December 19th, 2024 and December 28th, 2024. The cybersecurity firm also confirmed that the threat actor exfiltrated teachers and students' data.

from the compromised systems, though it notes there's no evidence that other databases were stolen. Similarly, there's no evidence that malware was planted on Power School systems or that the threat actor escalated their privilege, moved laterally or downstream to customer our school systems. CrowdStrike noted that as of January 2nd, 2025, its dark web intelligence showed that the threat actors kept their promise not to publish data.

Speaker 1 (16:33.642)
after an extortion demand was paid, as the cybersecurity firm has not found the data offered for sale or leaked online. Included in the breach were some names, contact information, dates of birth, limited medical alert information, social security numbers, social insurance numbers, and other information, though how much was breached in each individual school district varies. CrowdStrike also found that threat actors breached power source even earlier than December, with the same compromised

credentials used months earlier in August and September 2024. How hackers got inside. CrowdStrike's report also confirms that the attackers used compromised credentials for a maintenance account to access PowerSchool's SIS service through the PowerSource portal and to steal student and educator information between December 19th and December 28th. Why this matters. Hackers didn't hack.

They logged in. The attackers did not use brute force to hack their way in. They simply logged in using stolen credentials. Literally any one of us could have done this. How the compromised credentials were obtained. Leaked on the dark web, multiple investigations indicate that the credential used to access PowerSchool's PowerSource customer support portal had been available on the dark web for a considerable time before the December, 2024 incident.

This suggests that the credential was compromised in an earlier breach or via phishing and then leaked online. Cybersecuritydive.com, haylock.com. Repeated unauthorized access. Some reports reveal that the same support accounts credentials were used in earlier incidents, notably in August and September, 2024, which implies that once the credential was compromised, it continued to be exploited over several months. How they exploited the credentials.

Accessing a Privileged Support Portal. The attackers use the compromised credential to log into PowerSource, a customer support portal that includes a maintenance tool. This tool is designed for PowerSchool engineers to remotely access customer systems for support and troubleshooting. Edweek.org, techtarget.com. Data exfiltration via built-in export features. Once inside, the threat actor used an export utility within the portal to extract data from specific tables in the student information system, CYES.

Speaker 1 (18:58.766)
The extracted data included personally identifiable information, PII of students, families, and educators, Alliant.com, BleepingComputer.com. The technical investigation across multiple sources shows that the breach was driven by a compromised support account credential, likely obtained from a prior breach or phishing incident and later found on the dark web. The attackers simply logged into the PowerSource portal

using that valid credential and exploited an administrative tool to exfiltrate sensitive data. This method bypassed many conventional network defenses because it relied on legitimate authentication rather than exploiting a system vulnerability. These findings underscore the importance of robust password hygiene, regular dark web monitoring, and multi-factor authentication to mitigate such risks. Prior breach using same credentials.

Additionally, the report shows that the same compromised credentials were used between August 16 and September 17, 2024 to access the PowerSchool PowerSource portal, but it does not link the two intrusions. CrowdStrike did not find sufficient evidence to attribute this activity to the threat actor responsible for the activity in December 2024. The available SIS log data

did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data. The report reads, TechCrunch reports that leading U.S. education technology provider PowerSchool was discovered to have its network compromised months before being subjected to a major data breach in December, which was reported to have impacted more than 60 million students' personal information. Attackers who snuck in on PowerSchool's PowerSource support portal

access its school information system, had leveraged support credentials that were previously used to penetrate the same systems from August 16 to September 17, according to a CrowdStrike Forensic Probe, while additional evidence is still needed to link the intrusion to a particular threat actor due to inadequate PowerSchool log data. this means. CrowdStrike researchers noted that immediate credential modifications following the August breach

Speaker 1 (21:18.19)
could have averted significant data compromise. In other words, had they found the prior's two breaches, August or September 2024, or even one of them, in a timely manner, they could have stopped the big one, December 2024, from happening. They can't say with technical certainty that the same hackers logged in during these prior instances. The same compromised credentials were used in all three breaches though. It's significant that there weren't enough logs to examine so they don't have the

evidence to show one way or the other. This does confirm that hackers used compromised credentials to access PowerSchool's PowerSource portal a month before the December 2024 data breach. So let's talk about victim assistance. PowerSchool is offering free credit monitoring for families of students in schools who were impacted by a data breach of its servers. They also face a landslide of individual and class action lawsuits.

We will monitor the legal discovery, depositions, affidavits, et cetera, from these events and update everyone. A perspective on Power School, their battle with transparency. Despite acknowledging the investigation's findings, Power School has neither disclosed the total number of students and faculty members affected by the incident. They have also not confirmed its awareness of the prior two breaches. Before the CrowdStrike report was recently released,

in early March 2025, despite being aware. At this time, Power School has still not officially shared the total number of impacted schools, students, or teachers raising concerns about transparency. However, sources told Bleeping Computer that the breach impacted 6,505 school districts in the US, Canada, and other countries, with 62,488,620

28 students and 9,506,624 teachers having their data stolen. Duty not to harm. The students in districts who made them millions. Power School funded the cyber criminals by paying the ransom. Their belief is that they trusted the attackers and justify this by saying they watched a FaceTime video of the hacker purporting to show him deleting the data.

Speaker 1 (23:42.324)
the Palm Face slap. A spokesperson for Power School even said, we do not anticipate the data being shared or made public and we believe it has been deleted without any further replication or dissemination. So the basis is there must be the fantasy that there is honor among thieves. They apparently are not aware of the largest healthcare breach in history from last year, where ChangeHC paid $20 million under the false belief that the data was deleted, only to later learn it had not and Change even was

extorted a second time by another affiliate hacker from the Black Hat attack upon them. Power School acts as stewards of the school district students just as the school districts do. Their health, mental health, physical safety, and learning rest with them. Today, this includes their education conditions, family information, protected health information, PHI. They owe a duty to the parents to not be negligent. Two big misses by Power School.

Our review of multiple sources indicates two key points regarding Power School security controls at the time of the breaches. Multi-factor authentication, MFA, lack of MFA enforcement. There's no evidence from the public reports that MFA was required on the Power Source customer support portal prior to the breach. The attackers were able to use a single set of compromised credentials to gain access, which suggests that the authentication process relied solely on a username and password.

post breach remediation. In response to the incident, Power School not only performed a full password reset and tightened access controls, but also emphasized improved password policies. However, public details do not confirm whether MFA was implemented afterward or if it was part of the pre-breach security posture. Threat detection and SIAM capabilities. Detection capabilities. The breach was detected on December 28th, 2024, which led Power School

to immediately activate its incident response protocols and engage third-party cybersecurity experts like CrowdStrike. The existence of system logs allowed investigators to trace some of the attackers' However, multiple reports mentioned that the log data did not extend far enough back to capture all prior unauthorized activities, particularly those from earlier in August and September, 2024. SEM and continuous monitoring.

Speaker 1 (26:08.162)
While PowerSchool had some level of logging and monitoring, there is no public confirmation that a robust security information and event management SIM system was in place, or that advanced threat detection mechanisms were actively flagging suspicious behavior before the breach occurred. Instead, the breach appears to have been primarily uncovered through standard incident detection procedures after unauthorized access had already taken place. In the end, we are left with more questions than answers.

At the time of the breaches, PowerSchool's support portal did not appear to enforce MFA, which would have added an additional layer of security beyond just the compromised credentials. Additionally, while some logging and monitoring capabilities existed, there's no clear evidence that they were backed by a robust SIM system or advanced threat detection solutions that could have proactively alerted the team to the unauthorized access.

These likely contributed to the extent and duration of the breach. Thanks for listening everyone. We will keep you updated as this story develops.

Speaker 1 (27:17.838)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award-winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.