91.218.50.11. PowerSchool hack exposes student, teacher data from K-12 districts
School districts known to be impacted by the PowerSchool breach are listed the bottom of the article.
PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that supports over 60 million students and over 18,000 customers worldwide. The company offers a full range of services to help school districts operate, including platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.
While the company's products are mostly known by school districts and their staff, PowerSchool also operates Naviance, a platform used by many K-12 districts in the US to offer personalized college, career, and life readiness planning tools to students.
Targeted in data-theft attacks
In a cybersecurity incident notification sent to customers Tuesday afternoon and obtained by BleepingComputer, PowerSchool says they first became aware of the breach on December 28, 2024, after PowerSchool SIS customer information was stolen through its PowerSource customer support platform.
PowerSchool SIS is a student information system (SIS) used to manage student records, grades, attendance, enrollment, and more.
"As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024 PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource," reads a notification shared with BleepingComputer.
After investigating the incident, it was determined that the threat actor gained access to the portal using compromised credentials and stole data using an "export data manager" customer support tool.
"The unauthorized party was able to use a compromised credential to access one of our community-focused customer support portals called PowerSource," PowerSchool told BleepingComputer in a statement.
"PowerSource contains a maintenance access tool that allows PowerSchool engineers to access Customer SIS instances for ongoing support and to troubleshoot performance issues."
- PowerSchool has confirmed that the stolen data primarily contains contact details such as names and addresses.
- However, for some districts, it could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades.
The company also stressed that not all PowerSchool SIS customers were impacted and that they anticipate only a subset of customers will have to issue notifications.
- In response to the incident, the company engaged with third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the incident.
In an unusually transparent FAQ only accessible to customers, PowerSchool also confirmed that this was not a ransomware attack but that they did pay a ransom to prevent the data from being released.
"With their guidance, PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist."
While the company said they received a video showing that the data was deleted, as with all data extortion attacks, there is never a hundred percent guarantee that it was.
The company is now continuously monitoring the dark web to determine if the data has been leaked or will be leaked in the future.
For those impacted, PowerSchool is offering credit monitoring services to impacted adults and identity protection services for impacted minors.
PowerSchool says its operations remain unaffected, and services continue as usual despite the breach.
The company is now notifying impacted school districts and will be providing a communications package that includes outreach emails, talking points, and FAQs to help inform teachers and families about the incident.
If you have first-hand information or were behind the PowerSchool attack, we would like to speak to you. You can contact us confidentially on Signal at @LawrenceA.11 or on Telegram at @lbleeper.
BleepingComputer has learned that PowerSchool will soon provide detailed guides for customers to check if they were impacted and determine what data was stolen.
- In the meantime, a Reddit thread about the incident contains valuable information from IT personnel whose school districts were impacted, explaining how to detect whether data was stolen from their PowerSchool SIS database.
A detailed guide written by Romy Backus, SIS Specialist at the American School of Dubai, explains how to check the PowerSchool SIS logs to determine if data was stolen.
This guide and other reports indicate that data was first stolen on December 22, 2024, from IP address
91.218.50.11. This IP address belongs to a website and virtual hosting company in Ukraine.
Source: Romy Backus
While PowerSchool says that not all of these fields may be populated by data, the stolen data could include sensitive information for minors, such as names, addresses, phone numbers, Social Security Numbers, grade point averages, bus stops, passwords, notes, alerts, student IDs, parent information, and medical information.
For teachers, the data could include their names, addresses, phone numbers, Social Security Numbers, and passwords.
- The investigation is ongoing, with cybersecurity firm CrowdStrike expected to release a finalized report by January 17, 2025.
Impacted school districts
After the security incident was disclosed by PowerSchool, school districts have begun notifying parents and students about the breach today.
Below is a list of school districts that our readers say were imapcted by the PowerSchool breach:
- Alabama School Districts
- Etowah County School District in Alabama
- San Diego Unified School District in California*
- Colchester School District in Connecticut*
- East Hartford Public Schools in Connecticut*
- Easton Redding Region 9 School Districts in Connecticut
- Farmington Public Schools in Connecticut
- Norwalk public schools in Connecticut*
- North Branford Public Schools Community in Connecticut*
- Region 1 School District in Connecticut
- Wauconda Community Unit School District #118 in Illinois*
- Brownsburg Community Schools in Indiana*
- Mississinewa Community School Corporation in Indiana
- New Albany Floyd County Schools in Indiana*
- Noblesville Schools in Indiana*
- South Madison Community School Corporation in Indiana*
- Pekin Schools in Iowa
- Andover Public Schools in Kansas*
- Ascension Parish Public Schools in Louisiana
- Orleans Parish School board (NOLA public schools) in Louisiana*
- St. Charles Parish Public Schools in Louisiana
- Maine School Administrative District in Maine
- Amherst-Pelham Regional School District in Massachusetts*
- Berkshire Hills Regional School District in Massachusetts*
- Canton Public Schools in Massachusetts*
- Hopkinton Public Schools in Massachusetts*
- Lenox Public Schools in Massachusetts*
- Pittsfield Public Schools in Massachusetts
- Wellesley Public Schools in Massachusetts*
- Westford Public Schools in Massachusetts
- Bessemer Area Schools in Michigan
- SAU 21 in New Hampshire
- Valentine Community Schools in Nebraska
- Burlington Township School District in New Jersey*
- Millburn Township Public Schools in New Jersey
- West Orange Public Schools in New Jersey*
- East Greenbush Central School District in New York*
- North Carolina School Districts
- All North Dakota schools may be impacted
- Edgeley School District in North Dakota
- Fairmount Public Schools in North Dakota
- Langdon Area Schools in North Dakota
- North Border School District in North Dakota
- Ray Public Schools in North Dakota
- Tioga Public Schools in North Dakota
- Lower Merion School District (LMSD) in Pennsylvania
- Oxford Area School District in Pennsylvania
- St. Hubert Catholic High School for Girls in Pennsylvania
- Florence 1 Schools in South Carolina
- School District of Newberry County in South Carolina
- Champlain Valley School District in Vermont*
- Colchester School District in Vermont
- Winooski School District in Vermont*
- Sturgeon Bay Schools in Wisconsin
- Conseil scolaire FrancoSud in Alberta, Canada*
- Elk Island Public Schools in Alberta, Canada*
- Red Deer Public Schools in Alberta, Canada*
- Medicine Hat Public School Division in Alberta, Canada (They are investigating)
- St. Albert Public Schools in Alberta, Canada
- Wolf Creek Public Schools in Alberta, Canada*
- Dufferin Peel Catholic District School in Ontario, Canada
- Durham District School Board in Ontario, Canada
- Peel District School Board in Ontario, Canada
- Toronto District School Board (TDSB) in Ontario, Canada
- Upper Canada District School Board in Ontario, Canada
- York Region District School Board in Ontario, Canada
- Cape Breton-Victoria Regional Centre for Education in Nova Scotia, Canada
- School districts in Newfoundland and Labrador in Canada
* Residents of these school districts have shared emails stating they were impacted. If you have a formal link or email to a disclosure, please share it.
If you know of other impacted districts, please let us know via email at tips@bleepingcomputer.com or through our tip form.
Update 1/7/25: Fixed typo mistakenly indicating customer credentials, tickets, and the forum database were exfiltrated.
Update 1/8/25: Added additional IOCs shared by customers overnight.
No comments:
Post a Comment