Guest blog courtesy of Skyhawk Security.
The year is 1985. The movie Back to the Future is released, and the crowds are pouring in to see Marty McFly travel through time. If you were in high school back then, your school records might have been stolen. How?
In December 2024, PowerSchool, a leading K-12 education technology company supporting numerous schools across North America, experienced a significant data breach. The breach was identified on December 28, 2024, when attackers gained unauthorized access to PowerSchool’s customer support portal, known as PowerSource, through compromised credentials.
This unauthorized access exposed the personal information of students and educators, including names, contact details, dates of birth, medical information, Social Security numbers, and more.
Currently, the company serves over 60 million students across four states and more than 18,000 schools. However, expanding the reach and impact of this breach is the fact that schools have uploaded historical data to the system as well. For instance, some schools in Canada state that they have data dating back to 1985. That’s four decades of data – compromised.
How the Breach Happened
Attackers used stolen login credentials to gain unauthorized access to the PowerSource portal. According to some speculation, these belonged to a service account and were not secured by MFA. Once inside, the attackers accessed sensitive personal information, which included data on students and educators, and then exfiltrated this information, leading to the data breach.
The breach impacted many school districts in the U.S. and Canada, including several large districts in Virginia, California, and Toronto, Ontario. The total number of affected schools and individuals is still not fully known. PowerSchool reportedly paid a ransom to prevent the publication of the stolen data following the cybersecurity breach. The company stated that it received assurances from the attackers that the data had been deleted and no additional copies existed. At this point, the stolen data has not been published on the darknet, but that does not placate the angry parents and students. The company now faces 23 lawsuits over this huge data breach.
From Ransomware to Data Theft
The PowerSchool data breach did not cause any operational disturbances to the company’s services. The breach primarily involved the theft of sensitive personal data rather than disrupting the functionality of PowerSchool’s platforms or its ability to serve schools.
This suggests that the attack was focused on data theft rather than ransomware designed to lock systems or prevent access to services. This also indicates that hackers knew what they were doing and when to do it; they executed their plans in the midst of the holiday season when the schools were on vacation and vigilance was lower.
Breadth, Depth, and Length of the Incident
Many security incidents have a decent “blast radius,” but few encompass so many people with such high-value data over such a long period. According to some reports, the breach impacts 62.4 million students and 9.5 million teachers. It includes students and teachers from 40 U.S. states and Canada. In some cases, the data goes way back. In Canada, data from 1985 was compromised, and in California’s Menlo Park City School District, there was data from 2009 stolen. From Ontario, the following data was compromised, including:
Lessons Learned
This may seem like a monstrous hacking operation conducted by proficient hackers and, therefore, impossible to stop. However, there were several steps that the hackers took that defenders using a modern, AI-based cloud detection system could have identified and acted upon earlier. In particular, the massive exfiltration of data should have been identified and alerted to security operators. AI-based systems could have been used to run simulations before the incident, map potential breach routes, and plan proper responses before the incident.
Skyhawk’s AI-based Autonomous Purple Team enables a proactive approach to cloud security. Skyhawk Security’s Continuous Proactive Protection helps organizations discover their crown jewel assets and the GenAI-based red team and blue team see how defenses hold up against an attack. This helps organizations prioritize where to shore up defenses along with the value of the data assets at the end of the attack so they know where to start updating their security posture, threat detection, and response and remediation.
Skyhawk continuously evaluates the cloud as it updates, and organizations can truly realize the value of the cloud. Skyhawk’s AI-based autonomous purple team constantly evaluates defenses as the cloud architecture evolves, ensuring your most valuable cloud assets are protected.
Skyhawk recently announced Interactive CDR. The new capability adds real-time user interaction to verify suspicious activity of both human and non-human identities (NHIs) that are the root cause of the alert. This closes context gaps between SOCs, cloud teams, and identity owners, which reduces the load on the SOC, dramatically shortens Mean Time to Respond (MTTR), better protects against cloud breaches, and aligns with zero-trust frameworks. Read the press release for more!
Skyhawk Security is not a one-stop shop for your cloud-native CTEM framework, but it does deliver a significant portion of the capabilities. Many organizations already have too many security tools, so adding several tools to implement this framework is not feasible, but implementing one more product is.
