A cyberattack and data breach at U.S. education technology giant Power Schools, which was discovered on December 28, threatens to compromise the personal data of tens of millions of children and teachers.
PowerSchool informed customers that the breach was related to a compromise of a subcontractor's account. TechCrunch learned of another security incident this week involving a PowerSchool software engineer. The computers in this incident were infected with malware that stole company credentials prior to the cyberattack.
It is unlikely that the subcontractor mentioned by PowerSchool and the engineer identified by TechCrunch are the same person. The theft of the engineer's credentials raises further questions about the security practices of Power School, which was acquired by private equity giant Bain Capital last year in a $5.6 billion deal.
Power Schools has released only a few details about the cyberattack as affected school districts begin notifying students and teachers about the data breach. The company's school records software is used in 18,000 schools across North America and supports more than 60 million students, according to the company's website.
In a communication shared with customers last week and seen by TechCrunch, PowerSchool said anonymous hackers had collected “sensitive personal information” on students and teachers, including some students' Social Security numbers, grades, demographics and medical information. admitted to stealing. PowerSchool has not yet disclosed how many customers were affected by the cyberattack, but several school districts affected by the breach told TechCrunch that the hackers stole “all” historical student and teacher data. He said he is keeping logs to show this.
A person who works for the affected school district told TechCrunch there is evidence that sensitive information about students was exposed in the breach. The person cited examples such as information about parents' access rights to their children, including restraining orders, and information about when certain students are required to take medication. Other people at affected school districts told TechCrunch that the data stolen depends on what each school adds to its PowerSchool system.
Sources who spoke to TechCrunch said PowerSchool told customers that hackers used a single compromised maintenance account associated with PowerSchool's technical support subcontractor to infiltrate its systems. PowerSchool said on an incident page it set up this week that it had confirmed that one of its customer support portals had been compromised.
PowerSchool spokesperson Beth Keebler confirmed to TechCrunch on Friday that the subcontractor account used to compromise the customer support portal was not protected with multi-factor authentication. Multi-factor authentication is a widely used security feature to protect accounts from hacks related to password theft. PowerSchool said it has since rolled out MFA.
PowerSchool is working with incident response firm CrowdStrike to investigate the breach, with a report expected to be released as early as Friday. When contacted via email, CrowdStrike deferred comment to PowerSchool.
Keebler told TechCrunch that the company “cannot verify” the accuracy of our reporting. “CrowdStrike's initial analysis and findings show no evidence of system layer access, malware, viruses, or backdoors related to this incident,” Keibler told TechCrunch. Power School has not said whether it has received a report from CrowdStrike or whether it plans to make its findings public.
Power School said the investigation into the leaked data was ongoing and did not provide an estimate of the number of students and teachers whose data was affected.
PowerSchool passwords are stolen by malware
Logs taken from the computers of engineers working at PowerSchool show that prior to the cyberattack, their devices had been hacked by mass information-stealing malware LummaC2, according to sources familiar with cybercriminal activity. .
It is unclear exactly when the malware was installed. Officials said the password was stolen from the engineer's computer in January 2024 or earlier.
Information theft has become an effective route for hackers to enter businesses, especially with the rise of remote and hybrid work, where employees can use personal devices to access work accounts. I am. As Wired explains, this creates an opportunity for information-stealing malware to be installed on someone's home computer, but because the employee is also logged into their work system, it's difficult to access the company. This will give you the credentials you need.
The cache of LummaC2 logs seen by TechCrunch includes files containing the engineer's password, browsing history from two web browsers, and identifiable technical information about the engineer's computer.
Some of the stolen credentials appear to be tied to PowerSchool's internal systems.
Logs show that the malware extracted the engineer's saved passwords and browsing history from Google Chrome and Microsoft Edge browsers. The malware then uploaded a cache of logs containing the engineer's stolen credentials to a server controlled by the malware's operators. From there, the credentials were shared with broader online communities, including private cybercrime-focused Telegram groups where corporate account passwords and credentials are bought and sold between cybercriminals.
The malware logs include engineer passwords for the PowerSchool source code repository, the Slack messaging platform, Jira instances for tracking bugs and issues, and other internal systems. The engineers' browsing history also shows that they had extensive access to their PowerSchool accounts on Amazon Web Services, including full access to the company's AWS-hosted S3 cloud storage servers. was also included.
We will not release the names of the engineers because there is no evidence that they did anything wrong. As we have previously discussed regarding breaches in similar situations, it is ultimately the business's responsibility to put in place defenses and enforce security policies to prevent intrusions due to theft of employee credentials.
In response to a question from TechCrunch, PowerSchool's Keibler said that the person whose compromised credentials were used to compromise PowerSchool's systems would not have access to AWS, and that PowerSchool's internal systems (including Slack and AWS) are protected by MFA. He said that
TechCrunch found that the engineer's computer also had several sets of credentials belonging to other PowerSchool employees. The credentials appear to allow similar access to the company's Slack, source code repositories, and other internal systems.
Of the dozens of PowerSchool credentials we saw in our logs, many were short, basic, and complex, and some consisted of just a few letters and numbers. According to Have I Been Pwned's latest list of stolen passwords, several of the account passwords used at PowerSchool matched credentials that had already been compromised in a previous data breach.
TechCrunch did not test stolen usernames and passwords on the PowerSchool system because it would be illegal to do so. Therefore, you cannot determine whether any of your credentials are still actively in use or protected by MFA.
Power School said it could not comment without seeing the password. (TechCrunch withheld the credentials to protect the identity of the engineer who was hacked.) The company has “implemented robust protocols for password security, including minimum length and complexity requirements. “Passwords are rotated in accordance with NIST recommendations.” Referring to the compromised customer support portal, the company said that following the breach, PowerSchool has “fully reset the passwords for all PowerSource customer support portal accounts and further tightened password and access controls.”
PowerSchool said it uses single sign-on technology and MFA for both employees and contractors. The company said contractors will be provided with a laptop or access to a virtual desktop environment with anti-malware features and security controls such as a VPN to connect to the company's systems.
Questions remain about the Power School data breach and subsequent response to the incident, as affected school districts continue to investigate how many current and former students and staff had their personal data stolen in the breach. There is.
Staff at districts affected by the PowerSchool breach told TechCrunch that they are relying on crowdsourcing efforts from other districts and customers to help administrators search PowerSchool log files for evidence of data theft. Ta.
At the time of publication, PowerSchool's breach documentation cannot be accessed unless customers log into the company's website.
Carly Page contributed reporting.
Zack Whittaker can be reached securely on Signal and WhatsApp at +1 646-755-8849. Carly Page can be reached securely on Signal (+44 1536 853968). You can also securely share documents with TechCrunch via SecureDrop.