PowerSchool data breach: What does it mean for the educational sector?

In an exclusive for ETIH, Olivier Bilodeau, Principal Cybersecurity Researcher, and Nick Ascoli, Director of Product Strategy at Flare examine the recent PowerSchool data breach and its implications for educational institutions.

What happened?

In December 2024, PowerSchool, one of the largest providers of student information system (SIS) software in the United States, experienced a significant data breach. The company serves approximately 16,000 customers and manages data for around 50 million students. The breach occurred through unauthorized access using stolen credentials on a portal that lacked two-factor authentication.

PowerSchool's SIS software is a critical educational technology platform that maintains comprehensive student records, including:

• Basic demographic information (names, birthdays, addresses)

• Parent/guardian contact details

• Academic records

• In some districts, more sensitive information such as:

•   Social security numbers

•   Health records

•   Disciplinary records

An important preliminary report about the incident made it to the press:

The [cybersecurity vendor CrowdStrike] report allegedly states that there was no indication that the hacker used malware or exploited a backdoor in PowerSchool’s systems. Instead, access was gained through a single employee’s compromised password. The credentials granted the hacker entry to a “Maintenance Access” function, which enabled the download of millions of students’ personal information.

A single set of credentials of a privileged user was all that was required for such an impactful breach. This highlights a critical security oversight: information systems that aggregate such vast amounts of private information should never be exposed to the Internet without multi-factor authentication (MFA) — a fundamental security best practice that has been widely established for years. The fact that a "Maintenance Access" function with such broad reach could be accessed through single-factor authentication represents a significant departure from basic security hygiene.

Following the breach, PowerSchool engaged in negotiations with the threat actors and ultimately paid a ransom in exchange for promises to delete the stolen data. While the stolen data has not appeared on major hacking forums or cybercrime groups' leak sites, the incident represents the largest data breach affecting minors in U.S. history.

Implications for educational institutions

This breach has several far-reaching implications for the education sector:

First, it highlights the vulnerability of centralized educational technology platforms. When a major provider like PowerSchool experiences a breach, the impact is magnified due to their extensive market penetration and the comprehensive nature of the data they store.

Second, the incident exposes the risks of single-point-of-failure security measures. The breach occurred through stolen credentials on a system without two-factor authentication, demonstrating how basic security oversights can lead to catastrophic consequences in education technology.

Third, this breach raises serious questions about data minimization practices in educational settings. The variety and sensitivity of data stored in these systems — from basic contact information to health and disciplinary records — creates an attractive target for cybercriminals and increases the potential impact of any breach.

Finally, the incident highlights the complex ethical and practical considerations surrounding ransom payments. While PowerSchool's payment may have temporarily prevented public data exposure, there's no guarantee the data was actually deleted. The practice of paying ransoms, while sometimes seemingly necessary, can encourage further attacks on educational institutions or their vendor ecosystem.

The problem with paying ransoms

Paying cybercriminals to delete stolen data is a problematic strategy that often creates more issues than it solves. First, it reinforces the criminals' business model — every successful payment encourages more attacks and confirms that extortion is profitable. Second, there's no guarantee the criminals will honor their promise. A stark example of this occurred when AT&T paid $370,000 to a hacker known as "Waifu" who provided video evidence of data deletion, only to later discover the data had been shared with others and even briefly made public. 

Third, payment can complicate relationships with law enforcement, who need to track and stop these criminals, and cyber insurance providers, who may deny claims if voluntary payments are made. Finally, some jurisdictions have regulations against paying ransoms, as these payments may fund other criminal activities. Organizations should instead focus on preventing breaches and having robust incident response plans that don't rely on trusting criminals to keep their word. Think of it like dealing with a blackmailer — paying once doesn't guarantee they won't come back for more, and the "deleted" photos might already have copies.

Response and prevention strategies

Educational institutions and technology providers should implement several key measures to prevent similar incidents:

Implement regular cyber-security best-practices

Regular cyber-security hygiene measures still apply like mandatory two-factor authentication across all externally accessible sites, access control permissions based on least privileges principles and regularly checking your systems for security weaknesses both at the security architecture level and at the validation level (penetration testing).

Know your enemy

Understanding how attackers operate is essential for defending against them. In the PowerSchool case, like many others, cybercriminals didn't need sophisticated hacking tools — they simply used stolen passwords. These credentials are obtained, most of the time, when employees' personal computers get infected with malware, which then steals their saved passwords and sends them to criminal networks.

Every month, millions of devices worldwide fall victim to such attacks, making it unrealistic to expect that your employees' personal devices will never be compromised. This reality should shape your cybersecurity strategy — instead of assuming you can prevent credentials from being stolen, assume they will be stolen and protect yourself accordingly. This is why security measures like multi-factor authentication (MFA) are so crucial — they ensure that a stolen password alone isn't enough to breach your systems. In addition to MFA, proactively monitoring data breaches with a Continuous Threat Exposure Management (CTEM) platform, can help you remediate compromised accounts before any damage is done.

The PowerSchool incident serves as a crucial reminder that educational institutions must prioritize cybersecurity. While no security measure is perfect, implementing these strategies can significantly reduce the risk of breaches and minimize their impact when they do occur. Keep in mind that the majority of cybercrime groups go after low-hanging fruits so as long as the educational sector is less vulnerable than other industries it is going to be fine.