Compromised Credentials Enabled PowerSchool Data Exfiltration, CrowdStrike Report Finds

PowerSchool has released its investigation report, conducted with CrowdStrike, on the cybersecurity incident involving PowerSchool’s Student Information System (SIS), which was identified on December 28, 2024, following unauthorized data exfiltration through the PowerSource support portal. The investigation revealed that a threat actor leveraged compromised credentials to gain access to PowerSource, enabling unauthorized entry into SIS environments. PowerSchool confirmed that the breach did not disrupt operations and found no evidence of malware or further unauthorized access beyond the affected instances. The compromised data included personally identifiable information (PII) of students and educators, such as names, contact details, dates of birth, Social Security Numbers (SSNs), and limited medical alert information. To mitigate risks, PowerSchool provided affected individuals with credit monitoring and identity protection services and implemented stricter security measures, including enforced password resets and multi-factor authentication (MFA) for access to PowerSource.

CrowdStrike’s investigation determined that the threat actor exploited PowerSource’s Maintenance Remote Support operations to access PowerSchool’s SIS instances between December 19, 2024, and December 28, 2024. “Between December 19, 2024, at 19:43:14 UTC, and December 28, 2024, at 06:31:18 UTC, the Threat Actor performed Maintenance Remote Support operations in PowerSource, which enabled the Threat Actor to access the individual customer organizations’ SIS instances. At 19:43:37 UTC, the Threat Actor initiated a Maintenance Remote Support connection to PowerSchool SIS from the same IP address using the compromised support credentials.” The actor exfiltrated records from the “Teachers” and “Students” tables of the SIS databases but did not access or extract data from any other sections. “Between December 19, 2024, at 23:02:54 UTC, and December 23, 2024, at 08:04:45 UTC, the Threat Actor exfiltrated data from the Teachers and Students tables of the PowerSchool SIS instances for certain PowerSchool customers; CrowdStrike found no evidence of data exfiltration from any other tables.”

While the primary data exfiltration occurred in December 2024, CrowdStrike uncovered an earlier instance of unauthorized access in PowerSource logs dating back to August 16, 2024. The logs indicated that an unknown actor successfully accessed PowerSource using the same compromised credentials, but there was insufficient evidence to confirm whether this earlier activity was linked to the December breach. “Beginning on August 16, 2024, at 01:27:29 UTC, PowerSource logs showed that an unknown actor successfully accessed the PowerSchool PowerSource portal using the compromised support credentials. CrowdStrike did not find sufficient evidence to attribute this activity to the Threat Actor responsible for the activity in December 2024.” The investigation also found no evidence that the threat actor had gained system-level access or deployed malware, indicating that the attack was confined to application-level abuse of PowerSource’s support capabilities.

In response to the incident, PowerSchool has implemented additional security measures to prevent further unauthorized access, including restricting PowerSource access to a VPN requiring MFA and single sign-on (SSO). Despite concerns over the potential exposure of sensitive data, CrowdStrike’s dark web monitoring has not identified any evidence of the exfiltrated data being offered for sale.