PowerSchool, an education software provider, suffered a significant cyberattack in 2024 when hacker Matthew D. Lane and accomplices breached its network, exfiltrating sensitive data including names, addresses, Social Security numbers, and medical records of an estimated 70 million individuals. The attackers demanded $2.85 million in bitcoin to prevent data leaks, and while PowerSchool confirmed paying a ransom in May 2024, the threat actors continued extorting school districts in the U.S. and Canada. The breach exposed highly personal information, leading to potential identity theft, financial fraud, and reputational damage for the company. The incident also highlighted vulnerabilities in PowerSchool’s security posture, as attackers maintained persistent access over months, escalating the risk of further exploitation.
Source: https://www.govinfosecurity.com/breach-roundup-chinese-hackers-exploited-arcgis-a-29749
TPRM report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "pow4502845101725",
"linkid": "powerschool-group-llc",
"type": "Ransomware",
"date": "5/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Geospatial/Mapping',
'location': 'USA',
'name': 'Esri (ArcGIS)',
'type': 'Software Vendor'},
{'customers_affected': '200+ internet-exposed instances',
'industry': 'Call Center Solutions',
'location': 'Pakistan',
'name': 'ICT Innovations (ICTBroadcast)',
'type': 'Software Vendor'},
{'customers_affected': 'Windows 10 users (EoS)',
'industry': 'Technology',
'location': 'USA',
'name': 'Microsoft',
'type': 'Software Vendor'},
{'customers_affected': '70M individuals',
'industry': 'Education',
'location': 'USA',
'name': 'PowerSchool',
'type': 'EdTech Company'},
{'industry': 'Telecom',
'name': 'Unnamed Telecom Company',
'type': 'Telecommunications'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'American Family Mutual Insurance',
'type': 'Insurer'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'Farmers Insurance',
'type': 'Insurer'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'Hagerty Insurance Agency',
'type': 'Insurer'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'Hartford Insurance Group',
'type': 'Insurer'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'Infinity Insurance',
'type': 'Insurer'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'Liberty Mutual',
'type': 'Insurer'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'Metromile',
'type': 'Insurer'},
{'customers_affected': 'Part of 825K records',
'industry': 'Insurance',
'location': 'USA',
'name': 'State Auto Mutual Insurance',
'type': 'Insurer'},
{'customers_affected': '150K users (across 100+ '
'extensions)',
'industry': 'Software',
'location': 'Global',
'name': 'VS Code Extension Publishers',
'type': 'Developers'}],
'attack_vector': [{'arcgis_breach': 'Valid administrator credentials '
'(public-facing ArcGIS server → internal '
'server), Java SOE web shell, SoftEther '
'VPN tunnel (port 443)',
'ictbroadcast_exploits': 'CVE-2025-2611 (session cookie '
'injection → RCE), reverse shells',
'insurance_breaches': "Exploited 'pre-fill' quoting tools "
'(auto-populated PII)',
'microsoft_patch_tuesday': 'N/A (patch for '
'vulnerabilities)',
'powerschool_hack': 'Network intrusion (methods '
'undisclosed)',
'vs_code_leaks': 'Exposed Personal Access Tokens (PATs) in '
'extensions'}],
'customer_advisories': [{'insurance_breaches': 'NY AG advised consumers to '
'place fraud alerts on credit '
'reports.',
'powerschool_hack': 'Affected individuals notified; '
'credit monitoring '
'recommended.'}],
'data_breach': {'data_exfiltration': [{'arcgis_breach': 'Attempted (AD SAM '
'database)',
'insurance_breaches': 'Confirmed (used '
'for fraud)',
'others': None,
'powerschool_hack': 'Confirmed (stolen '
'data used for '
'extortion)'}],
'number_of_records_exposed': [{'insurance_breaches': '825K',
'others': None,
'powerschool_hack': '70M'}],
'personally_identifiable_information': ['SSNs, medical '
'records, driver’s '
'licenses, DOBs, '
'names, addresses'],
'sensitivity_of_data': ['High (PII, credentials, secrets)'],
'type_of_data_compromised': ['Credentials (ArcGIS)',
'PII (SSNs, medical records - '
'PowerSchool)',
'Driver’s licenses, VINs, DOBs '
'(insurers)',
'Secrets (PATs, API keys - VS '
'Code)']},
'date_detected': [{'ictbroadcast_exploits': '2024-08-05 (Metasploit exploit '
'published)',
'microsoft_patch_tuesday': '2024-10-08 (October Patch '
'Tuesday)',
'powerschool_hack': '2022 (initial breach), 2024-04/05 '
'(extortion), 2024-09/12 (subsequent '
'breach)'}],
'date_publicly_disclosed': [{'arcgis_breach': '2024-10-08 (ISMG report)',
'ictbroadcast_exploits': '2024-10-08 '
'(VulnCheck/Rapid7)',
'insurance_breaches': '2024-10-08 (NY AG '
'announcement)',
'microsoft_patch_tuesday': '2024-10-08',
'powerschool_hack': '2024-05 (ransom payment '
'confirmed), 2024-10-08 '
'(sentencing)',
'vs_code_leaks': '2024-10-08 (Wiz report)'}],
'date_resolved': [{'ictbroadcast_exploits': 'Unpatched (vendor silent)',
'microsoft_patch_tuesday': '2024-10-08 (patches released)',
'powerschool_hack': '2024-05 (ransom paid, but extortion '
'continued)'}],
'description': 'A weekly roundup of cybersecurity incidents including: (1) '
'Chinese state-linked hackers (Flax Typhoon) exploited an '
'ArcGIS server via a Java SOE web shell, maintaining '
'persistence for over a year; (2) Attackers exploited '
'CVE-2025-2611 in ICTBroadcast call center software for '
'unauthenticated RCE; (3) Microsoft patched 172 flaws (6 '
'zero-days) in October Patch Tuesday; (4) A Massachusetts '
'student sentenced for extorting $3M from PowerSchool and a '
'telecom firm; (5) New York fined 8 insurers $14.2M for data '
'breaches exposing 825K records; (6) Over 100 VS Code '
'extensions leaked secrets (PATs, API keys).',
'impact': {'brand_reputation_impact': [{'insurance_breaches': 'High '
'(regulatory '
'fines, public '
'disclosure)',
'others': None,
'powerschool_hack': 'High (70M '
'affected, school '
'districts '
'targeted)'}],
'data_compromised': [{'arcgis_breach': 'Administrator credentials, '
'AD SAM database (attempted '
'theft)',
'ictbroadcast_exploits': None,
'insurance_breaches': 'Driver’s license '
'numbers, VINs, DOBs '
'(825K records)',
'powerschool_hack': 'Names, addresses, SSNs, '
'medical records (70M '
'people affected)',
'vs_code_leaks': 'PATs, API keys (OpenAI, '
'AWS, GitHub, etc.)'}],
'financial_loss': [{'insurance_breaches': '$14.2M (fines)',
'others': None,
'powerschool_hack': '$200K (paid to telecom) + '
'$2.85M (demanded from '
'PowerSchool)'}],
'identity_theft_risk': [{'insurance_breaches': 'High (driver’s '
'licenses, DOBs)',
'others': None,
'powerschool_hack': 'High (SSNs, medical '
'records)'}],
'legal_liabilities': [{'insurance_breaches': '$14.2M fines (NY AG)',
'others': None,
'powerschool_hack': 'Criminal sentencing (4 '
'years prison)'}],
'operational_impact': [{'arcgis_breach': 'Undetected for >1 year, '
'lateral movement',
'insurance_breaches': 'Fraudulent '
'unemployment claims',
'others': None,
'powerschool_hack': 'Ongoing extortion '
'post-ransom payment'}],
'systems_affected': [{'arcgis_breach': 'ArcGIS server '
'(public-facing + '
'internal), IT staff '
'workstations',
'ictbroadcast_exploits': 'ICTBroadcast '
'versions ≤7.4 '
'(200+ '
'internet-exposed '
'instances)',
'insurance_breaches': "8 insurers' quoting "
'tools',
'microsoft_patch_tuesday': 'Windows 10 '
'(EoS), Agere '
'Modem driver, '
'RACM, IGEL OS, '
'AMD SEV-SNP, TPM '
'2.0',
'powerschool_hack': 'PowerSchool network, '
'telecom firm network',
'vs_code_leaks': '100+ VS Code extensions '
'(150K install base)'}]},
'initial_access_broker': {'backdoors_established': [{'arcgis_breach': 'SoftEther '
'VPN '
'(Windows '
'service), '
'Java '
'SOE '
'web '
'shell',
'ictbroadcast_exploits': 'Reverse '
'shells',
'others': None}],
'data_sold_on_dark_web': [{'others': None,
'powerschool_hack': 'Likely '
'(threatened '
'leak '
'if '
'ransom '
'unpaid)'}],
'entry_point': [{'arcgis_breach': 'Public-facing '
'ArcGIS server '
'(valid admin '
'credentials)',
'ictbroadcast_exploits': 'Internet-exposed '
'ICTBroadcast '
'instance '
'(CVE-2025-2611)',
'insurance_breaches': 'Pre-fill '
'quoting '
'tools (lack '
'of MFA)',
'powerschool_hack': None,
'vs_code_leaks': 'Publicly '
'available VS '
'Code extensions '
'(hardcoded '
'secrets)'}],
'high_value_targets': [{'arcgis_breach': 'AD SAM '
'database, '
'IT staff '
'workstations',
'insurance_breaches': 'PII '
'for '
'fraudulent '
'claims',
'others': None,
'powerschool_hack': 'Education '
'records '
'(70M '
'individuals)'}],
'reconnaissance_period': [{'arcgis_breach': '>1 '
'year '
'(undetected)',
'others': None}]},
'investigation_status': [{'arcgis_breach': 'Completed (ReliaQuest '
'attribution)',
'ictbroadcast_exploits': 'Ongoing (vendor silent)',
'insurance_breaches': 'Completed (fines issued)',
'powerschool_hack': 'Completed (sentencing)',
'vs_code_leaks': 'Completed (Wiz report)'}],
'lessons_learned': ['1. ArcGIS Breach: Living-off-the-land (LoL) '
'techniques and VPN tunnels (SoftEther) can evade '
'detection for prolonged periods. Hardcoded secrets in '
'web shells increase stealth.',
'2. ICTBroadcast: Unpatched internet-exposed software '
'with RCE vulnerabilities (CVE-2025-2611) becomes a prime '
'target. Vendors must prioritize patching even after '
'disclosure.',
'3. PowerSchool: Paying ransoms does not guarantee '
'cessation of extortion. Critical data (SSNs, medical '
'records) requires layered protections beyond perimeter '
'defenses.',
"4. Insurance Breaches: 'Pre-fill' tools with "
'auto-populated PII are high-risk targets. MFA and '
'anomaly detection are essential for fraud prevention.',
'5. VS Code Extensions: Hardcoded secrets in '
'extensions create supply chain risks. Automated secret '
'scanning should be mandatory in CI/CD pipelines.',
'6. Microsoft Patch Tuesday: End-of-support (EoS) '
'systems (Windows 10) require migration plans to avoid '
'exposure to unpatched zero-days.'],
'motivation': [{'arcgis_breach': 'Espionage (credential theft, AD '
'reconnaissance)',
'ictbroadcast_exploits': 'Likely cybercrime (persistent '
'access for follow-on attacks)',
'insurance_breaches': 'Fraud (unemployment claims)',
'powerschool_hack': 'Financial gain ($3M extortion)'}],
'post_incident_analysis': {'corrective_actions': ['1. For ArcGIS: Enforce '
'least-privilege access, '
'segment internal/external '
'servers, deploy EDR to '
'detect hands-on-keyboard '
'activity.',
'2. For ICTBroadcast: '
'Vendors must patch '
'critical vulnerabilities '
'promptly; users should '
'isolate call center '
'software from the '
'internet.',
'3. For Ransomware '
'Victims: Develop '
'post-payment playbooks '
'(e.g., legal action, law '
'enforcement coordination) '
'to deter repeated '
'extortion.',
'4. For Insurers: '
'Implement behavioral '
'analytics for quoting '
'tools and mandate MFA for '
'all PII-accessing systems.',
'5. For Developers: '
'Integrate secret detection '
'tools (e.g., GitHub '
'Advanced Security) into '
'CI/CD and enforce token '
'rotation policies.',
'6. For Legacy Systems: '
'Accelerate migration from '
'EoS software (e.g., '
'Windows 10) and prioritize '
'patches for zero-days in '
'firmware/drivers.'],
'root_causes': ['1. ArcGIS: Poor credential '
'hygiene (valid admin credentials '
'on public-facing server), lack of '
'network segmentation, and '
'insufficient logging (allowed >1 '
'year dwell time).',
'2. ICTBroadcast: Unpatched '
'RCE vulnerability (CVE-2025-2611) '
'in internet-exposed software, '
'vendor inaction post-disclosure.',
'3. PowerSchool: Inadequate '
'post-breach containment '
'(extortion continued after ransom '
'payment), likely insufficient '
'segmentation of sensitive data.',
'4. Insurers: Missing MFA and '
'monitoring on high-risk tools '
'(pre-fill quoting systems), '
'enabling automated fraud at '
'scale.',
'5. VS Code Extensions: Lack '
'of secret scanning in development '
'pipelines, leading to hardcoded '
'credentials in public '
'repositories.',
'6. Microsoft: Legacy system '
'risks (Windows 10 EoS) compounded '
'by zero-day exploits in drivers '
'(Agere Modem) and firmware (TPM '
'2.0).']},
'ransomware': {'data_exfiltration': [{'powerschool_hack': 'Confirmed'}],
'ransom_demanded': [{'powerschool_hack': '$2.85M (PowerSchool) '
'+ $200K (telecom)'}],
'ransom_paid': [{'powerschool_hack': '$200K (telecom) + '
'undisclosed '
'(PowerSchool, confirmed '
'in May 2024)'}]},
'recommendations': ['1. For ArcGIS Users: Isolate public-facing servers, '
'audit Java SOE extensions, and monitor outbound VPN '
'traffic (e.g., SoftEther on port 443).',
'2. For ICTBroadcast Users: Remove internet exposure, '
'apply network segmentation, and replace unpatched '
'versions. Use WAFs to block session cookie injection.',
'3. For Organizations: Implement MFA universally, '
'especially for tools handling PII (e.g., quoting '
'systems). Monitor for credential dumping (e.g., AD SAM '
'database access).',
'4. For Developers: Scan extensions/code for '
'hardcoded secrets (PATs, API keys) using tools like '
'GitHub Secret Scanning or Wiz.',
'5. For Insurers: Conduct third-party risk '
"assessments for 'pre-fill' tools and enforce MFA for all "
'high-risk systems.',
'6. For Windows 10 Users: Migrate to supported OS '
'versions or purchase Extended Security Updates (ESU) to '
'mitigate zero-day risks.',
'7. For Incident Response: Assume attackers will '
'continue extortion post-ransom payment. Engage law '
'enforcement early (as in PowerSchool case).'],
'references': [{'date_accessed': '2024-10-08',
'source': 'Information Security Media Group (ISMG)',
'url': 'https://www.ismg.com'},
{'source': 'ReliaQuest (ArcGIS Breach)'},
{'date_accessed': '2024-10-08',
'source': 'VulnCheck (CVE-2025-2611)',
'url': 'https://vulncheck.com'},
{'date_accessed': '2024-10-08',
'source': 'Rapid7 (ICTBroadcast)',
'url': 'https://www.rapid7.com'},
{'date_accessed': '2024-08-05',
'source': 'Metasploit (CVE-2025-2611 Exploit)',
'url': 'https://www.metasploit.com'},
{'date_accessed': '2024-10-08',
'source': 'Wiz (VS Code Secrets)',
'url': 'https://www.wiz.io'},
{'date_accessed': '2024-10-08',
'source': 'New York Attorney General (Insurance Fines)',
'url': 'https://ag.ny.gov'},
{'date_accessed': '2024-10-08',
'source': 'U.S. Department of Justice (PowerSchool '
'Sentencing)',
'url': 'https://www.justice.gov'}],
'regulatory_compliance': {'fines_imposed': [{'insurance_breaches': '$14.2M '
'(NY AG)'}],
'legal_actions': [{'insurance_breaches': 'NY AG '
'enforcement',
'powerschool_hack': 'Criminal '
'prosecution '
'(4-year '
'sentence)'}],
'regulations_violated': [{'insurance_breaches': 'Likely '
'NY '
'data '
'protection '
'laws '
'(lack '
'of '
'MFA/monitoring)',
'powerschool_hack': 'Potential '
'HIPAA/FERPA '
'(medical/education '
'records)'}],
'regulatory_notifications': [{'insurance_breaches': 'NY '
'AG '
'public '
'disclosure',
'others': None}]},
'response': {'communication_strategy': [{'insurance_breaches': 'NY AG press '
'release',
'others': None,
'powerschool_hack': 'Public '
'disclosure of '
'ransom '
'payment'}],
'containment_measures': [{'microsoft_patch_tuesday': 'Patches '
'released '
'for 172 '
'flaws',
'others': None}],
'incident_response_plan_activated': [{'arcgis_breach': None,
'insurance_breaches': 'NY '
'AG '
'investigation '
'→ '
'fines',
'others': None,
'powerschool_hack': 'Ransom '
'paid '
'(May '
'2024), '
'but '
'extortion '
'continued'}],
'law_enforcement_notified': [{'insurance_breaches': 'Yes (NY AG)',
'others': None,
'powerschool_hack': 'Yes (FBI, '
'sentencing by '
'federal '
'judge)'}],
'remediation_measures': [{'ictbroadcast_exploits': 'None (vendor '
'silent, no '
'patch)',
'insurance_breaches': 'MFA/monitoring '
'improvements '
'(implied by NY '
'AG)',
'others': None,
'vs_code_leaks': 'Token revocation '
'recommended'}],
'third_party_assistance': [{'arcgis_breach': 'ReliaQuest '
'(attribution)',
'ictbroadcast_exploits': 'VulnCheck, '
'Rapid7 '
'(disclosure)',
'others': None,
'vs_code_leaks': 'Wiz (discovery)'}]},
'stakeholder_advisories': [{'arcgis_breach': 'Users advised to audit ArcGIS '
'servers for web shells/VPN '
'tunnels.',
'ictbroadcast_exploits': 'Users urged to '
'disconnect '
'internet-facing '
'instances immediately.',
'insurance_breaches': 'Consumers advised to '
'monitor for identity theft '
'(free credit monitoring '
'offered).',
'microsoft_patch_tuesday': 'Admins advised to '
'apply October patches '
'urgently, especially '
'for zero-days.',
'powerschool_hack': 'School districts warned of '
'ongoing extortion risks.',
'vs_code_leaks': 'Developers advised to rotate '
'exposed tokens/keys.'}],
'threat_actor': [{'arcgis_breach': 'Flax Typhoon (Chinese state-linked APT, '
'moderate confidence)',
'ictbroadcast_exploits': 'Unknown (TTPs similar to '
'Fortinet-reported phishing '
'campaign)',
'insurance_breaches': 'Unknown (hackers exploited PII for '
'fraudulent unemployment claims)',
'powerschool_hack': 'Matthew D. Lane (and accomplices)'}],
'title': 'Breach Roundup: Chinese Hackers Exploited ArcGIS, ICTBroadcast Call '
'Center Software Vulnerability, and Other Cyber Incidents',
'type': ['APT (Advanced Persistent Threat)',
'Unauthenticated Remote Code Execution (RCE)',
'Zero-Day Exploits',
'Data Breach/Extortion',
'Regulatory Fines (Data Protection Violation)',
'Supply Chain Risk (Secret Leakage)'],
'vulnerability_exploited': [{'arcgis_breach': 'Java Server Object Extension '
'(SOE) weaponized as web shell',
'ictbroadcast_exploits': 'CVE-2025-2611 (session '
'cookie command '
'injection)',
'insurance_breaches': 'Lack of MFA/monitoring on '
"'pre-fill' tools",
'microsoft_patch_tuesday': ['CVE-2025-24990 '
'(Agere Modem '
'driver, EoP)',
'CVE-2025-59230 '
'(Remote Access '
'Connection Manager, '
'EoP)',
'CVE-2025-47827 '
'(IGEL OS Secure '
'Boot bypass)',
'CVE-2025-0033 (AMD '
'SEV-SNP RMP '
'corruption)',
'CVE-2025-24052 '
'(Agere Modem '
'driver)',
'CVE-2025-2884 (TPM '
'2.0)'],
'vs_code_leaks': 'Hardcoded secrets in '
'extensions'}]}