Compromised Credential Leads to Major Educational Data Leak Powerschool

Description

K-12 schools manage vast amounts of sensitive personal information about students and educators. Many school districts utilize a cloud service provider to host this data and provide insights and analytics. PowerSchool stands as the leading provider of cloud-based education software for K-12 education in the United States, serving over 55 million students and 17,000 educational institutions across more than 90 countries. On December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to one of its customer portals. A subsequent investigation showed that the attackers were able to access two tables with family and teacher information from PowerSchool’s Student Information System database. This gave the attackers access to information such as Social Security numbers (SSNs), grades, medical information, names, and addresses of students and educators.

How was the Attack Implemented?

The investigation suggests that the data breach was a result of a compromised credential that was used to authenticate on to PowerSchool portal. It appears that this credential was available on the dark web for some time well before the attack.

Actions Taken

PowerSchool responded to the incident by activating its pre-established incident response plan, involving a collaborative effort between senior leadership and third-party cybersecurity experts. Once the compromised account was identified, it was deactivated immediately and all access to the affected portal was restricted. They also performed a full password reset of all accounts and revised their password and access control policies to make them more robust. The company is also notifying all affected parties and is offering free credit monitoring and identity protection services over the coming weeks.

In a controversial move, PowerSchool disclosed in a letter to customers on January 7 that they had paid a ransom to the attackers. This payment was made in exchange for assurances that the stolen student and teacher data would not be released. Company leadership expressed confidence that the data has been deleted following the ransom payment.

Prevention

This type of attack was easily implemented due to the stolen credentials that were on the dark web. There are millions of compromised accounts on the dark web and dark web monitoring services continually scan for these compromised accounts, enabling security teams to take swift action by resetting affected accounts and notifying users of potential breaches. While dark web monitoring is valuable, it’s just one part of a comprehensive cybersecurity strategy. Other essential security measures to prevent such attacks include:

Multi-Factor Authentication (MFA): Implementing MFA for all user accounts, especially those with administrative access, could have made it more difficult for attackers to gain unauthorized access to the customer portal.

Data Encryption: Encrypting sensitive data both in transit and at rest ensures that even if data is intercepted, it remains unreadable and unusable to unauthorized parties.

Store only essential information: Limit what an attacker can get access to by only collecting the information needed to accomplish a particular task. Do you need full social? If so, can you mask or tokenize in the database so that the stolen information is useless?

Password Policy Enforcement: Enforcing regular password changes and using password policies to require strong, unique credentials can reduce the risk of credential-based attacks

Database Monitoring and Data Loss Prevention Solutions: Implementing advanced tools and threat detection systems can alert IT and security teams of suspicious activities, such as a large export of data from a database, or prevention of exfiltration of sensitive data like social security numbers in real time, giving them time enough to respond or prevent before real damage can be done.

Enhanced Access Control: Given the prevalence of brute force, credential stuffing, and password spraying attacks, it’s almost inevitable that some user accounts within any organization will be compromised at some point. Implementing the principle of least privilege (PoLP) for all accounts limits the potential damage an attacker can inflict if they gain access to a compromised account.