Database tables of student, teacher info stolen from PowerSchool in cyberattack

A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data – including some Social Security Numbers and medical info – stolen.

PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including the US and Canada, to handle grading, attendance records, and personal information of more than 60 million K-12 students and teachers.

On December 28 someone managed to get into its systems and access their contents "using a compromised credential," the California-based biz told its clients in an email seen by Register this week.

"I would love to see some more reporting on this serious security breach that occurred to one of the largest student information system vendors," one school CTO told El Reg today, adding: "PowerSchool is likely in violation of their signed data privacy agreements with school districts. There are also a few laws that deal with student privacy at the federal and state level."

The executive said the software developer had taken nearly two weeks to alert customers, and that work was now underway at their school to determine the full extent of the intrusion.

In Canada, the Toronto District School Board, at least, sent a note to students and staff warning that PowerSchool had suffered "a data breach between December 22 and 28, 2024."

The unauthorized actor extracted two tables within the student information system database

PowerSchool, meanwhile, told us someone was able to use that aforementioned stolen credential to copy people's private info from its information system.

"We believe the unauthorized actor extracted two tables within the student information system database," a spokesperson told us. "These tables primarily include contact information with data elements such as name and address information for families and educators.

"For a certain subset of the customers, these tables may also include Social Security Number, other personally identifiable information, and limited medical and grade information.

"Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations."

The supplier did say this wasn't an attack involving ransomware or the exploitation of software bugs, rather a fairly straightforward network penetration. It has called in an independent security shop to carry out a full audit of its systems, and figured what happened exactly and who has been affected.

"We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination," the developer told customers.

"We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts."

PowerSchool said any adults affected will receive free credit monitoring, while minors will get subscriptions to an unnamed identity protection services biz "in accordance with regulatory and contractual obligations."

• Cyber crooks shut down UK, US schools, thousands of kids affected
• Parents take school to court after student punished for using AI
• Northern Ireland schools ditch £485M Fujitsu deal after less than a year
• Feature phones all the rage as parents try to shield kids from harm

Interestingly enough, security outfit Cyble thinks the intrusion may have been more serious and gone on much longer than has been publicly acknowledged so far.

The cybersecurity vendor has been monitoring black-hat hacking forums, and says from that research it appears the break-in could have occurred as far back as June 16, 2011, and that the digital trespassing ended on January 2 of this year.

Cyble's threat intelligence veep Kaustubh Medhe said it has seen evidence of "data-stealing malware designed to infiltrate systems and extract valuable information" being used against PowerSchool employees and/or its users.

"Critical systems and applications such as Oracle Netsuite ERP, HR software UltiPro, Zoom, Slack, Jira, GitLab, and sensitive credentials for platforms like Microsoft login, LogMeIn, Windows AD Azure, and BeyondTrust" may have been compromised as a result, we're told.

BeyondTrust's PR reps assured us their systems have not been improperly accessed, for what it's worth.

We've asked PowerSchool for a response to Cyble's findings. ®