In December 2024, PowerSchool suffered a **ransomware-driven data breach** via its **PowerSource customer support portal**, which lacked multifactor authentication. Threat actors exfiltrated a dataset containing **student and staff names, contact details, Social Security numbers, medical notes, and limited passwords** from its **Student Information System**, impacting **60+ million students and 18,000 educational customers** across North America and Canada.PowerSchool **paid an undisclosed ransom** to prevent public exposure, but the actors later **extorted four school districts** using the same stolen data, contradicting PowerSchool’s earlier claim that the data was destroyed. The breach triggered **class-action lawsuits**, regulatory scrutiny, and **free credit monitoring for victims**. The FBI is investigating, while North Carolina’s education department refused to engage with attackers, citing legal prohibitions. The incident highlights failures in **access controls** and **ransomware response**, with ongoing risks of **identity theft, fraud, and reputational damage** for schools and families.
Source: https://www.cybersecuritydive.com/news/powerschool-data-breach-school-extortion-attempts/747801/
TPRM report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "pow14104514112725",
"linkid": "powerschool-group-llc",
"type": "Ransomware",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '60,000,000+ (students) + 18,000 '
'(schools/districts)',
'industry': 'Education Technology',
'location': 'Global (HQ: Folsom, California, USA)',
'name': 'PowerSchool',
'size': 'Serves 60M+ students, 18K+ educational '
'customers',
'type': 'EdTech Software Provider'},
{'industry': 'Public Education',
'location': 'North Carolina, USA',
'name': 'North Carolina Department of Public '
'Instruction (NCDPI)',
'type': 'State Education Agency'},
{'industry': 'Education',
'location': 'Toronto, Canada',
'name': 'Toronto School District (unspecified)',
'type': 'School District'},
{'industry': 'Education',
'location': ['North America (specific locations '
'undisclosed)'],
'name': 'Three additional unnamed school districts',
'type': 'School Districts'}],
'attack_vector': ['Unauthorized access via PowerSource customer support '
'portal',
'Lack of multifactor authentication (MFA)'],
'customer_advisories': ['Free credit monitoring/identity protection offered',
'Direct support to contacted schools'],
'data_breach': {'data_exfiltration': 'Confirmed',
'personally_identifiable_information': ['Names',
'Contact details',
'SSNs (limited)',
'Medical notes'],
'sensitivity_of_data': 'High (SSNs, medical notes, passwords)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Credentials']},
'date_detected': '2024-12-28',
'date_publicly_disclosed': '2025-01-00',
'description': "Threat actors breached PowerSchool's Student Information "
'System in December 2024, stealing teacher and student data '
'(including names, contact info, SSNs, medical notes, and '
'passwords). The company paid a ransom, but threat actors '
'later used the same dataset to extort four school districts '
'across North America. The breach impacted ~60M students and '
'18K educational customers. PowerSchool lacked MFA on its '
'PowerSource support portal, the initial attack vector. The '
'FBI is investigating, and class-action lawsuits have been '
'filed.',
'impact': {'brand_reputation_impact': 'Severe (public criticism, lawsuits, '
'loss of trust)',
'customer_complaints': ['Public pushback', 'Class-action lawsuits'],
'data_compromised': ['Student/teacher names',
'Contact information',
'Social Security numbers (limited)',
'Medical notes',
'Passwords (limited)'],
'identity_theft_risk': 'High (SSNs and personal data exposed)',
'legal_liabilities': ['Class-action lawsuits',
'Potential regulatory fines'],
'operational_impact': ['Extortion threats to 4 school districts',
'Ongoing FBI investigation',
'Class-action lawsuits'],
'systems_affected': ['PowerSchool Student Information System',
'PowerSource customer support portal']},
'initial_access_broker': {'data_sold_on_dark_web': 'Unconfirmed (but used for '
'extortion)',
'entry_point': 'PowerSource customer support portal '
'(lack of MFA)',
'high_value_targets': ['Student/teacher PII',
'SSNs',
'Medical records']},
'investigation_status': 'Ongoing (FBI-led)',
'lessons_learned': ['Criticality of MFA for sensitive portals',
'Risks of paying ransoms (data not guaranteed to be '
'deleted)',
'Need for transparent communication with stakeholders'],
'motivation': ['Financial gain (ransom payment)',
'Data extortion from schools'],
'post_incident_analysis': {'corrective_actions': ['MFA implementation '
'(presumed)',
'Credit monitoring for '
'victims',
'Collaboration with law '
'enforcement'],
'root_causes': ['Absence of MFA on critical portal',
'Inadequate access controls',
'Over-reliance on threat actor '
'assurances post-ransom']},
'ransomware': {'data_exfiltration': 'Confirmed (December 2024 breach)',
'ransom_demanded': ['Initial ransom paid by PowerSchool '
'(amount undisclosed)',
'Subsequent extortion demands to 4 school '
'districts (amounts undisclosed)'],
'ransom_paid': 'Yes (by PowerSchool; schools refused per NC '
'law)'},
'recommendations': ['Implement MFA universally',
'Avoid ransom payments (per FBI guidance)',
'Enhance third-party vendor security audits',
'Proactive credit monitoring for victims'],
'references': [{'source': 'K-12 Dive'},
{'source': 'PowerSchool Public Statement (May 2025)'},
{'source': 'North Carolina Department of Public Instruction '
'(NCDPI) Statement'}],
'regulatory_compliance': {'legal_actions': ['Class-action lawsuits',
'Potential violations of North '
'Carolina law (if schools paid '
'ransom)'],
'regulatory_notifications': ['FBI notified',
'Affected '
'schools/districts '
'notified']},
'response': {'communication_strategy': ['Public statements (January 2025, May '
'2025)',
'Direct outreach to affected schools'],
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes (FBI investigation ongoing)',
'remediation_measures': ['Free credit monitoring/identity '
'protection for victims',
'Collaboration with affected schools'],
'third_party_assistance': ['Law enforcement (FBI)',
'Credit monitoring/identity '
'protection providers']},
'stakeholder_advisories': ['PowerSchool urged schools not to engage with '
'threat actors',
'NCDPI prohibited ransom payments under state law'],
'title': 'PowerSchool Student Information System Data Breach and Extortion '
'Attempts',
'type': ['Data Breach', 'Ransomware', 'Extortion'],
'vulnerability_exploited': 'Absence of MFA on PowerSource portal'}