What can we learn from the PowerSchool attack?

What happened?

Towards the end of December 2024, PowerSchool, the edtech giant, discovered it was the victim of a cyber-attack. The breach began with stolen credentials granting hackers access to PowerSchool's support portal, which is used by customers of its student information system.

Once in, the hackers accessed the data of over 60 million students and staff, dating from 2010 and stored within thousands of school and school district systems. PowerSchool has admitted that the hacker's activity went unnoticed for several days as they were logged in as a normal user.

The lack of data-protection laws protecting schools in America may explain why hackers could access the data of students and staff who have long left the schools. In Europe and Australia suppliers like PowerSchool are required to follow strict, and often statutory, data retention processes.

How did the hackers get in?

Once aware, PowerSchool hired a cybersecurity firm to investigate the breach. The investigation found no signs of a sophisticated attack. Instead, the hacker compromised an employee’s username and password and used them to log in. It’s unclear how they found these details.

Because this account wasn’t protected with multi-factor authentication, the username and password were all they needed to access a maintenance function and download millions of children’s personal information. 

How could the hacker have compromised the credentials?

Hackers use various techniques to access a user’s credentials, including phishing emails, trying passwords from other breached accounts, initial access brokers and automated password guessing techniques like password spraying and brute force guessing.

Even with the credentials, multi-factor authentication would have added another layer of protection.

There is a useful article about the different methods hackers use to access credentials here.

What can we learn from the attack?

This attack teaches us that even the biggest suppliers are vulnerable to attack and can have weaknesses in their security.

Check supplier security credentials

Before engaging with cloud suppliers, regardless of how established they are, ask them questions about their cybersecurity. If you didn't do this with the ones you’re already using, it's never too late.

Here's some example questions

These questions should form part of your data processing assessment, and it is important to be confident that policies are enforced.

1. How is multi-factor authentication implemented and enforced?
2. Is there a password policy for staff, and how is this enforced?
3. How regularly do they test systems for vulnerabilities?
4. What accreditations do they have, such as ISO 27001?
5. How long do they keep your data, and is this in line with regional regulations? 
6. What monitoring do they have in place for unusual activity on their networks and systems?

Read more about the attack in the community

Read an NBC article about the attack