back to article Database tables of student, teacher info stolen from PowerSchool in cyberattack

A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data – including some Social Security Numbers and medical info – stolen. PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including …

  1. beast666 Bronze badge

    "PowerSchool said any adults affected would be receiving free credit monitoring, while minors would get subscriptions to an unnamed identity protection services biz..."

    Hmmm, I wonder...

  2. Traf_Attog
    Facepalm

    PAM

    Have any of these companies heard of PAM and MFA for all administrative accounts, no exceptions? I guess security is hard or something…

    1. Anonymous Coward
      Anonymous Coward

      Re: PAM

      I would say, from experience, that no, they haven't heard of PAM/MFA or modern security at all.

      Anon because I have to deal with these clueless c*nts.

    2. Christoph

      Re: PAM

      Quite - why was a single login credential able to access data for multiple schools?

      1. Geoff Campbell Silver badge
        Facepalm

        Re: PAM

        School IT is stuffed full of service providers who hold data for huge numbers of schools and colleges worldwide. You'd've hoped that they would know better on security, but we all know that Hope is a small village outside the city of Reality.

        GJC

  3. ChoHag Silver badge

    > in accordance with regulatory and contractual obligations.

    We'll do absolute the minimum we're forced to.

    1. Guy de Loimbard Bronze badge

      And there, my friend, lays the crux of the issue.

      Minimum application of minimum requirements.

      Having worked in a number of fields similar to this, the amount of executive push back, based only on cost I hasten to add, of substantial and commensurate security features, is shocking.

      There is still a culture of "it'll never happen to us".

  4. KittenHuffer Silver badge
    Joke

    I wonder if they got little Bobby Tables' data?

    Cos if they did then the data breach might just have cured itself!

  5. Valeyard

    "compromised credential"

    how much are you betting that it's the default admin password

  6. WanderingHaggis
    FAIL

    I wonder

    Makes me wonder what was the data being used for -- bragging rights or something more malicious? If malicious and over such a long period as suggested then surely there would be traces elsewhere -- ID theft issues, bank issues...

    In any case someone somewhere should be getting marching orders for poor credential security.

  7. WolfFan

    Sounds like they were violating FERPA

    FERPA https://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act has been around for literally 50 years. In order for one set of compromised credentials to access all of this info, FERPA was being violated big time in the course of their normal operations. FERPA is, of course, Federal. And even if it wasn’t, the fact that multiple states and multiple countries are involved would make it Federal.

    There’s going to be blood…

    1. EnviableOne

      Re: Sounds like they were violating FERPA

      It is also violating COPPA too, bearing in mind we are talking K-12 personal info at least half of it is Under 13s

    2. An_Old_Dog Silver badge

      Re: Sounds like they were violating FERPA

      There SHOULD blood -- C-suite blood -- but dollars to doughnuts, there will not be.

      In the C-suite, it's business as usual. "*Yawn* Pass me the sports section, will ya, Frank?"

  8. Decay

    PowerSchool may, depending on the school, stores the students name, address, contact info, address Social Insurance Number (SIN), Permanent Residency card number (PR) . In Canada that's plenty good enough to open bank accounts, credit cards, etc. etc. This is going to be a nightmare.

    The actual letter sent to students and parents played all this down despite them saying elsewhere..

    "PowerSchool SIS is a student information system (SIS) used to manage student records, grades, attendance, enrollment, and more."

    "PowerSchool has confirmed that the stolen data primarily contains contact details such as names and addresses. However, for some districts, it could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades."

    see..

    Dear Valued Customer,

    As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.

    Please review the following information and be sure to share this with relevant security individuals at your organization.

    As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.

    We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.

    Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.

    Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.

    We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.

    PowerSchool is committed to working diligently with customers to communicate with your educators, families, and other stakeholders. We are equipped to conduct a thorough notification process to all impacted individuals. Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process.

    We have taken all appropriate steps to further prevent the exposure of information affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.

    In the coming days, we will provide you with a communications package to support you in engaging with families, teachers and other stakeholders about this incident. The communications package will include tailored outreach emails, talking points, and a robust FAQ so that district and school leadership can confidently discuss this incident with your community.

    We understand that you may have additional questions as a result of this update. FAQs are available on PowerSchool Community. Additionally, we will be holding webinars with senior leaders, including our Chief Information Security Officer, to address additional concerns. Please click the link below to register for a webinar that fits your schedule. Note that content for all sessions will be identical, so you need only attend one.

    Wednesday, January 8: REGISTER HERE

    Thursday, January 9: REGISTER HERE

    In the meantime, please reach out to your Customer Success Manager (CSM), Support, or other established PowerSchool contact should you have any questions. We will be sending communications later today to other stakeholders in your organization who are responsible for other PowerSchool products notifying them of no impact to the other PowerSchool products.

    We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together.

    Thank you for your continued support and partnership.

    Sincerely,

    Hardeep Gulati

    Chief Executive Officer

    Paul Brook

    Chief Customer Officer

    cc: Mishka McCowan

    Chief Information Security Officer

  9. Emir Al Weeq

    Not a ransomware attack

    "The supplier did say this wasn't an attack involving ransomware"

    "We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination".

    I wonder how they can be so sure of this? It sounds to me like they've been talking to the perpetrators and reached a deal, ie. they've paid the ransom and trust the perps to delete (for what that's worth). There may not have been ramsomware involved but that doesn't mean they haven't paid the scumbags.

    1. Decay

      Re: Not a ransomware attack

      Several sources confirmed money was paid.

    2. SCP

      Re: Not a ransomware attack

      I wonder how they can be so sure of this?

      Commonly 'because their salaries depend on it' - though it is possible that ignorance and stupidity are also involved.

  10. MachDiamond Silver badge

    No opt out for you

    There should be people going to prison for this sort of thing. There's no opting out and often no information given to parents about the outside IT services a school might use. Staff may be unaware of the depth of information that might be kept in these systems as well as the companies attempt to be the One Ring to run everything in the same way Elon dreams of turning his company into a one-stop-shop for all of your financial and social media needs.

  11. Dante Alighieri
    FAIL

    subset = all

    No longer an issue = nothing left to lose

    others have posted re ransom.

    Has anyone mentioned "sophisticated" yet, I have a bingo card to complete.

  12. TRT

    Power School

    Ringing a bell in the deep dark recesses of my mind... wasn't that the name of an Apple Student Information / School Management System from around 1999 to 2005ish?

    1. Anonymous Coward
      Anonymous Coward

      Re: Power School

      Yes it was. It was bought by Pearson Education around 2005. Sometime recently it was sold to Bain Capital.

    2. kylekartan

      Re: Power School

      Yes it was. It was bought by Pearson Education around 2005. Sometime recently it was sold to Bain Capital.

      1. ecofeco Silver badge

        Re: Power School

        Bain? Ah, mystery of lax security solved.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like