The PowerSchool breach affected numerous K-12 schools across the USA and is a wake-up call that should impact how education establishments approach security.
Just after Christmas, 2024, a cybersecurity incident was detected by PowerSchool. Cyber criminals had already compromised sensitive information of students and staff from across the USA, using PowerSchool’s customer support portal, PowerSource.
What do we know about the breach? How did it happen? And what can we learn from it?
What Do We Know About the PowerSchool Breach?
PowerSchool is a student information system software solution that supports a wide range of educational institutions, from individual schools and districts to government agencies. It provides a centralized platform for managing aspects of student data, including demographics, attendance, grades, and schedules.
PowerSchool has over 18,000 customers in more than 90 countries and their cloud-based systems are used by over 60 million students.
Attackers breached the system through PowerSchool’s customer support portal for district and school staff, PowerSource. A cybercrime group is believed to have gained unauthorized access to two tables with family and teacher information, including personally identifiable data such as the names and addresses, social security numbers and medical data.
Controversally, PowerSchool succumbed to hackers’ demands, accepting a promise to delete stolen data in return for a ransom payment. Of course, there is no evidence that the data was actually deleted. This is broadly being criticized as a dangerous precedent, as it encourages criminals to continue to attack and extort organizations.
How Was PowerSchool Breached and Why?
PowerSchool prides itself on data security, so how did this data breach happen?
The data breach appears to have occurred after an unauthorized party used compromised credentials to access PowerSource. Mishka McCowan, CISO at PowerSchool, revealed that credentials had been available on the Dark Web for a “period of time well before the attack.”
This suggests that the attack had two stages — the credentials had been stolen, potentially by an earlier breach, such as infostealer malware, or perhaps through phishing or social engineering. The stolen information was then shared on the dark web’s credential marketplace, where criminals sell credentials at a price. The purchasers used the details to access PowerSource and exfiltrate the information they needed for the ransom.
Why would a crime group target schools for information such as students addresses and social security numbers? As we exposed in our Lumu Compromise Report 2024, educational institutions are popular targets for attacks, including infostealers and ransomware. They are targeted because of the sensitive nature of their information and their perceived ability to pay ransoms.
The personal information of children is particularly valuable as it can often be used for credit withdrawals from banks for years before being flagged. This fear was acknowledged in PowerSchool’s response as they are offering credit monitoring and identity protection services to the victims of the attack.
How To Defend Against Similar Attacks
It should be assumed that attacks like this will happen again, and can hit any organization. Much of the discussion has swirled around whether it was correct to pay the ransom, however, by the time you are talking about whether or not it’s a good idea to pay the price this is no longer a security question but a business decision. In terms of security, we need to discuss how not to get there in the first place.
Firstly, the loss of the access credentials is a key point of protection. Access to a system using legitimate credentials is much more difficult to detect with cybersecurity defenses. How can you defend against that initial loss of information?
One popular technique for stealing credentials is to use infostealers. These files can be placed on a system and are designed to exfiltrate specific information. These are very difficult to detect by traditional solutions, however the suspicious movement of data within a network is where the visibility provided by Lumu can catch these criminals and stop the files from being transferred.
Credentials may also be elicited through a phishing email or social engineering. A solid cybersecurity architecture should involve visibility to assess your external attack surface, which helps identify compromised data on the dark web and fraudulent phishing domains targeting your organization. It should also assume that, on occasions, all those layers of security will fail — so what then?
To prevent sensitive data from leaving the network there are several solutions. Virtual Agents on devices like laptops, desktops, and mobile devices, can monitor file transfers and application usage and allow security teams to monitor remote devices’ compromise levels. A network-based approach monitors data traffic on the network, looking for suspicious patterns or the presence of sensitive data in emails, files, and other communications.
Network Detection and Response tools, such as Lumu Defender, give network visibility to detect and react against suspicious activity. They should also monitor suspicious logins, perhaps from unusual IP addresses or geographical locations. Lumu’s AI analyses activity, in real time, within the network to catch and block any movements of data that might suggest a compromise.
Additionally, it is essential for your stack to be integrated so that data can be analyzed as a whole and avoid the attacker evading defenses.
In the case of PowerSchool, their credentials had been available for a lengthy period of time for purchase on the dark web. To keep one step ahead, tools can be utilized to give visibility into the dark web and monitor the information that attackers are likely to know about your organization.
If you want to find out more about how Lumu can give you visibility on your network to defend against a similar breach, open a free account today.