What we know about the PowerSchool breach so far…
It has only been 24 hours since PowerSchool announced it had an “incident,” so there’s very little information available to the public. However, what PowerSchool has shared and what school districts are seeing is concerning, to say the least.
On January 7 PowerSchool notified its customers that the company became aware of an “incident” on December 28, in which an unauthorized party gained access to customer data, including student and employee data. PowerSchool has yet to make a public statement (and its FAQ is behind a customer login), but this incident likely is impacting tens of millions of families in the United States, meaning this could be the largest cybersecurity incident in the K-12 education industry.
Here’s what we know so far:
PowerSchool is not just any ed-tech company. PowerSchool has multiple products, but its flagship product is its student information system (SIS), which is at the heart of a school district’s data infrastructure. The SIS is what school districts use to record and maintain all student data. PowerSchool happens to be the biggest SIS provider in the country, with almost a third of all school districts in the United States using PowerSchool. If any SIS vendor experiences a cybersecurity incident, it can be devastating to a school district—for PowerSchool to experience a breach, it can be devastating to the country.
This was a data exfiltration attack of epic proportions. Multiple customers have shared data exfiltration logs from their PowerSchool SIS that demonstrate the “unauthorized party” moved quickly between districts to export all student and staff data from PowerSchool, likely using automated scripts to exfiltrate data from thousands of districts within a short period of time. The speed and timing of the attack suggest this was someone with a high level of technical expertise who knew what they were doing and acted with intentionality.
The attack used a back-door account, negating any security a school district had in place. PowerSchool has multiple options for hosting its SIS, including within PowerSchool’s cloud or a district’s self-hosted infrastructure. Unfortunately, this breach appears to have impacted a PowerSchool service account, which means the hosting location was irrelevant and the threat actor was able to gain access to data in PowerSchool’s cloud as well as self-hosted installations. Some PowerSchool customers were not impacted, but it’s reasonable to conclude a large portion of PowerSchool’s 60 million students were impacted by this breach. There likely will be entire states where every student and staff member must now enroll in credit monitoring.
Timing (and language) is everything. PowerSchool stated that the company became “aware” of the incident December 28, six days prior to notifying customers. However, multiple school districts have posted audit logs that show data exports being run on their system at least a week prior to December 28. In addition, an incident of this scale and complexity is not something that would occur overnight, and the “unauthorized party” likely had this access much earlier. It’s not uncommon for attacks on school districts to occur during holiday breaks, so the full timeline of this attack likely will begin much earlier than what is currently reported.
PowerSchool paid a ransom. PowerSchool stated in its FAQ that the company “received reasonable assurances from the threat actor that the data was deleted and that no additional copies exist,” and the company confirmed it had received a video showing the deletion of data. There are arguments for and against that claim, so I’m not going to speculate whether the threat actor still has a copy of the data. However, for a threat actor to be in possession of that amount of data from a company as big as PowerSchool means the ransom payment was likely enormous. This, combined with the need to provide credit monitoring for possibly millions of people, means that Bain Capital likely won’t see the benefits of its $5.6 billion purchase of PowerSchool anytime soon.
There is still a lot left to learn, but I’m hopeful that PowerSchool will lead the conversation with transparency to both customers and the general public. PowerSchool has yet to make a statement to the public, but I applaud them for communicating to school districts first so district staff can be prepared when they start to receive questions from families.
