PowerSchool suffered a cyber attack in which student and teacher data was stolen
- PowerSchool said threat actors gained access to the student information system in late December and stole data about students and teachers
- We don’t know exactly how many people were affected by the breach
- The data would have been deleted
PowerSchool, a major K-12 education technology software platform, has confirmed that it has been the victim of a cyber-attack that resulted in the theft of sensitive student and teacher information. Furthermore, the company decided to demand a ransom to have the data deleted.
In late December 2024, an unknown threat actor used stolen credentials to gain access to the PowerSchool Student Information System (SIS) platform. From there, they were able to use the ‘Export Data Manager’ customer support tool to exfiltrate the ‘Students’ and ‘Teachers’ database tables into a CSV file, which was then stolen.
The information captured in this attack includes names and mailing addresses, and in some counties the threat actors also obtained Social Security Numbers (SSN), Personally Identifiable Information (PII), medical information, and grades.
A ransomware attack
PowerSchool notified affected individuals via a breach notification letter, emphasizing that not all PowerSchool SIS customers were affected.
Only a subset of customers received the update, with a PowerSchool spokesperson adding items such as customer tickets, customer data, or forum data that were not disclosed or exfiltrated.
We don’t know exactly how many people were involved in the incident, but apparently the data has been deleted.
PowerSchool said that while this was not a ransomware attack, the attackers were still paid to have the data deleted.
“With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist.” The publication asked the company how much money it paid for this, but did not get a straight answer: “Given the sensitive nature of our investigation, we cannot provide information on certain details.”
In recent times, some ransomware operators have stopped deploying the encryptor and started focusing solely on data exfiltration, as it is cheaper, easier and more convenient, with the same end result.
Via BleepingComputer