Another day, another data breach. PowerSchool, a major education technology platform, has alerted its over 18,000 customers that hackers were able to access and download highly sensitive information about customers (the schools), school staff, and students (Here is a link to the email that PowerSchool sent out to notify affected school districts).
What happened?
According to information obtained by TechCrunch, the information downloaded by hackers primarily included contact information, such as individuals' names, addresses, phone numbers parents' names, phone numbers, and email addresses, some medical and grade information, and Social Security numbers. Hackers were also able to access other "unspecified personally identifiable information." The types of data stolen will vary by customer. TechCrunch also reported that the breach did not involve ransomware, but rather a cyber-extortion event where a sum was paid to the attackers to prevent the stolen information from being published online.
How did it happen?
EdTech IRL has a good write-up, although a bit technical, on how the attackers gained access to PowerSchool. There are a number of factors that contributed to the breach, but the most significant is that the attackers had compromised credentials they were able to use to access PowerSource, the customer support portal for PowerSchool. From there, they were able to access customer data using the PowerSource remote support tools. It is unclear if Multifactor Authentication was turned on at the time; however, according to BleepingComputer, the attacker was located in Ukraine, but EdTech IRL also reported that MFA had been enabled as of January 7th. Most likely, MFA was turned on after the breach was discovered as a way to prevent further access by the attacker. PowerSchool has also done a full password reset and increased password length and complexity requirements.
What we know from these and other new sources is that the hacker used compromised credentials - basically a fancy way of saying a stolen username and password. How do hackers most commonly steal credentials? Phishing (that's another article for another time). The problem is, if the compromised PowerSchool employee reused the same credentials for other systems, those other systems are now also at risk. It's a safe bet too - according to our friends at Bitwarden, only 20% of employees report never reusing passwords. Since the password length and complexity requirements were also increased after the attack, they probably weren't long enough to begin with. If the hacker was in Ukraine, proper hardware-based or authenticator app-based MFA would have most likely stopped the attack in its tracks.
What can I do?
There's a saying that a smart person learns from their own mistakes, but a wise person learns from other people's mistakes. Here is some wisdom we can glean from the PowerSchool breach:
- STOP REUSING PASSWORDS. Use a unique password for every system.
- Passwords should be randomly generated and as long as the website will allow. Spring2025! isn't a secure password even though it meets most complexity requirements. RLA48$sjStb*5GQW5w%N is a 20-character password that I just generated from my password manager and can't be guessed. Which brings me to my next point.
- Use a password manager. We use Bitwarden Enterprise and provide it to our clients as part of our cybersecurity services, which includes a free license for Bitwarden Families, so our clients' employees and their families can have secure password practices at home. There are other great free and paid options too, but they only work if you use them.
- Turn on Multifactor Authentication for every application that has the option. Hardware security keys are the best and can eliminate the need for passwords with some systems. Authenticator apps are a close second. Only use text and email codes if no other option exists.
If you don't have a cybersecurity system in place, or if you do and someone else is managing it but you'd like a second opinion, we offer a FREE Security Risk Assessment. This assessment will go over every area of your network to identify if and where you are vulnerable to an attack and propose solutions to fix it.
Click here to book your Security Risk Assessment with one of our cybersecurity experts, or call our office at 765-726-2849.