On December 28, U.S. edtech giant PowerSchool discovered a cyberattack that compromised sensitive data of millions of students and teachers. PowerSchool, used by 18,000 schools and supporting over 60 million students across North America, confirmed that hackers accessed private information, including Social Security numbers, grades, demographics, and even medical details.
Breach Linked to Compromised Subcontractor Account
PowerSchool attributed the breach to a compromised subcontractor’s maintenance account that lacked multi-factor authentication (MFA), a critical security feature. Although MFA has since been implemented, this oversight raises questions about the company’s security measures. Affected school districts have reported that the hackers stole entire historical data records, including highly sensitive student information such as parental access rights and medication schedules.
Engineer’s Credentials Stolen by Malware
Separately, TechCrunch uncovered that a PowerSchool software engineer’s credentials were compromised via the LummaC2 infostealing malware prior to the breach. The malware extracted saved passwords, browsing history, and other data from the engineer’s computer, potentially granting access to internal systems, including PowerSchool’s Slack, Jira, and Amazon Web Services (AWS) accounts.
The malware logs revealed weak password practices, including the use of simple passwords and credentials already exposed in past breaches. PowerSchool has since implemented company-wide password resets and enhanced access controls.
Investigation and Response
PowerSchool is working with cybersecurity firm CrowdStrike to investigate the breach. Although the company claims no evidence of system-layer access or malware was found, questions remain about the effectiveness of its security protocols. Affected districts are relying on crowdsourced efforts to identify stolen data, as PowerSchool has not yet provided a comprehensive report.
Implications and Next Steps
The PowerSchool breach highlights vulnerabilities in the edtech sector, emphasizing the importance of robust cybersecurity measures such as MFA, strong password policies, and regular audits. With affected districts scrambling to assess the damage, the incident underscores the need for transparent communication and proactive security practices to protect sensitive educational data.