PowerSchool Data Breach Report Released

By Gordon Hopkins

Two-and-a-half months after a data breach that compromised the personal data of an estimated 1,600 schools in the U.S., Canada, and several other countries, a report has been released.
PowerSchool is a software vendor that provides the Student Information System (SIS) for schools around the world, including several local schools. Fairbury Public Schools, Diller Odell Schools, Meridian Public Schools, Thayer Central, Southern District Schools and Wilber-Clatonia all use PowerSchool.
A statement from PowerSchool indicates the breach was discovered December 28, 2024, “As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.”
One of those cybersecurity experts is Crowdstrike Sytems. CrowdStrike’s investigation began on December 29, 2024, and concluded on February 17, 2025. On February 28, 2025, Crowdstrike released a report on the data breach.
According to that report, PowerSchool took the following steps to prevent the data involved from further unauthorized access or misuse and to secure the impacted environment:
Deactivating the compromised credential,
Enforcing a full password reset for employees and contractors,
Restricting access to and tightening password and access controls for the affected customer
Support portal and
Requiring that access to the PowerSource environment be via company’s VPN, which requires
Single sign-on (SSO) and multi-factor authentication (MFA).
Key Findings
The following is a summary of the key findings from CrowdStrike’s analysis of available data as it appears in the report:

1. The earliest evidence of unauthorized activity attributable to the Threat Actor within the PowerSchool environment occurred on December 19, 2024, at 04:06:24 UTC. At that time, the Threat Actor initiated an HTTP GET request for support.powerschool[.]com from IP address 146.70.128[.]186.

2. The Threat Actor performed Maintenance Remote Support operations in PowerSource to gain access to PowerSchool customers’ SIS data. Between December 19, 2024, at 19:43:14 UTC, and December 28, 2024, at 06:31:18 UTC, the Threat Actor performed Maintenance Remote Support operations in PowerSource, which enabled the Threat Actor to access the individual customer organizations’ SIS instances. At 19:43:37 UTC, the Threat Actor initiated a Maintenance Remote Support connection to PowerSchool SIS from the same IP address using the compromised support credentials. Per PowerSchool’s website, “PowerSource is a community-focused customer support portal for all PowerSchool products.” 2 As such, PowerSource allows a support technician with sufficient permissions to gain access to customer SIS database instances for maintenance purposes.
3. The Threat Actor exfiltrated data from the PowerSchool SIS instances of PowerSchool customers. Between December 19, 2024, at 23:02:54 UTC, and December 23, 2024, at 08:04:45 UTC, the Threat Actor exfiltrated data from the Teachers and Students tables of the PowerSchool SIS instances for certain PowerSchool customers; CrowdStrike found no evidence of data exfiltration from any other tables.
4. CrowdStrike found no evidence of access or escalation of privilege by the Threat Actor to any PowerSchool systems beyond application-level access via the web-based interface. CrowdStrike has found no evidence of system-layer access or malware associated with this incident. CrowdStrike also examined the tactics, techniques and procedures associated with the Threat Actor, as well as their actions taken in this incident, and did not identify any indications that PowerSchool customer IT environments outside of PowerSource and SIS were compromised or were at risk of intrusion due to this incident.
5. CrowdStrike identified earlier evidence of unauthorized activity in the PowerSchool environment associated with the compromised support credentials between August 16, 2024 and September 17, 2024. Beginning on August 16, 2024, at 01:27:29 UTC, PowerSource logs showed that an unknown actor successfully accessed the PowerSchool PowerSource portal using the compromised support credentials. CrowdStrike did not find sufficient evidence to attribute this activity to the Threat Actor responsible for the activity in December 2024. The available SIS log data did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data.
6. The most recent evidence of Threat Actor activity in the Customer environment occurred on December 28, 2024, at 06:31:18 UTC. At that time, the Threat Actor used the compromised support credentials to log in to the maintenance interface of PowerSource to interact with PowerSchool SIS.
7. CrowdStrike’s dark web monitoring did not identify exfiltrated data for sale related to this incident. PowerSchool engaged CrowdStrike’s Recon+ Intelligence service as of January 2, 2025, to engage in dark web monitoring, and, as of the date of this report, CrowdStrike has not identified any evidence of information exfiltrated in this incident being made available for sale or download.
   PowerSchool will be offering what it calls complimentary identity protection and credit monitoring services to those whose personal information was compromised by a recent data breach. The software company made the offer in a statement issued January 17, 2025, “PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated.”

Twinrivers