A massive data breach at PowerSchool, a leader in U.S. educational technology, has compromised the sensitive personal information of millions of students and teachers. Discovered on December 28, the cyberattack exposed critical data, including Social Security numbers, medical records, academic grades, and demographic details.
How the Breach Occurred
PowerSchool initially attributed the incident to a compromised account belonging to a technical support subcontractor. However, further investigation reveals a more alarming security failure: an internal software engineer at the company had their computer infected with LummaC2, a potent infostealing malware, prior to the main attack.
The malware captured the engineer’s credentials, browsing history, and technical device data. These credentials—which included access to internal systems like source code repositories, Slack, Jira, and Amazon Web Services (AWS)—were subsequently leaked to cybercriminal forums and Telegram groups.
Critical Security Lapses
The incident highlights systemic vulnerabilities at the company, which was acquired by Bain Capital in a $5.6 billion deal last year. Despite claims of robust security, reports indicate that the subcontractor account used to access the support portal lacked multi-factor authentication (MFA) at the time of the breach.
Furthermore, an analysis of the stolen logs revealed that many PowerSchool employee passwords were short, lacked complexity, and matched credentials already flagged in previous global data breaches, according to databases like Have I Been Pwned.
Impact on Schools and Students
PowerSchool’s software is utilized by 18,000 schools across North America, serving over 60 million students. While the company has not disclosed the exact number of affected individuals, school districts impacted by the breach report that hackers exfiltrated “all” of their historical student and teacher data.
The scope of the stolen information is deeply concerning. Sources within affected districts confirmed the theft of highly sensitive data, including:
- Parental access rights and restraining orders.
- Student medication schedules.
- Full academic and personal demographic profiles.
Ongoing Investigation
PowerSchool has engaged the incident response firm CrowdStrike to investigate the intrusion. While PowerSchool maintains that it has since implemented full password resets and tightened access controls, the company has declined to confirm if it will publicly release the findings of the forensic report.
For now, affected school districts are forced to rely on crowdsourced information from peers to determine the extent of the data theft, as official documentation remains locked behind customer-only portals on the company’s incident page.