PowerSchool is a K-12 software suite that serves over 60 million students, 16,000 schools, and over 9 million teachers. Over 72 million people were impacted by a data breach on December 22, 2024. This is a serious breach that has impacted a lot of young people and seems to be getting swept under the rug by mainstream media. In this blog, I'm going to try and break down the breach and figure out how it could have been avoided.

Let's first start with a breakdown of who and what was affected by the breach. I've already given you the statistics of numbers but let's also include the general populus of people who were affected. The software suite is used mainly in the USA and Canada. 6,505 school districts in the US and Canada were affected and 2.7 million records are confirmed affected. The Toronto District School Board confirmed that four decades of student information was stolen and seven years of parent/guardian information was stolen. The amount and type of data that was stolen varies from district to district but it is reported that 1/4th of students had their social security numbers exposed. For context, 1/4th of 60 million is still 15 million. The population of the USA and Canada combined is around 335 million so that means that close to 5% of the population had their SSNs exposed with this breach.

The breach happened through the customer support portal where a maintenance accounts credentials were used to access the system. Whether this was done through phishing or any other method of credential stealing is unclear and will be announced in the forensic statement that is being released by PowerSchool and CrowdStrike soon (it was supposed to be released on January 17th 2025). One would be led to believe that this is a multitude of errors in the cyberesecurity of the PowerSchool systems. The main and most important thing that I would address is data cleanup and erasure in time based manners. There is zero reason for a school system to retain the data of someone who graduated 40 years ago. Lack of data control and sprawl is going to become out of hand in 100 years if there aren't proper measures for handling this data. Another important factor that should probably be considered when holding onto this data is the importance of the data and selecting which data to erase over time. I would venture to say that it might be a good idea to provide better methods for student recognition than their social security number so that it can be erased from the system after they graduate or maybe five years after they graduate (to provide ample time for college enrollment without many issues). The next main method of prevention that should have been implemented is least privilege. There have to be better methods in place to prevent a singular service account from wreaking this much havoc. You have to have multi-factor authentication so that you can't log-in without a secondary method. Default sprawl of software that isn't need also was a contributing factor to the breach by automatically installing the PowerSource customer support portal on every device that bypasses the school district's internal authentication controls. The last thing which may or may not have prevented this is user training. Had the person who lost access to the service account been a bit more well trained it could have been prevented. Had the school district's IT staff been better trained on locking down their systems they may not have leaked as much data. With the lack of forensic data provided at this moment, it's hard to tell just how the system was compromised but certain assumptions are to be made in these types of attacks.

2024 was full of breaches and major moments in the cybersecurity landscape and this attack was just as monumental. I would say it was worse than the CrowdStrike failure earlier in the year because more than just systems were impacted. People will be dealing with the ramifications of having their data stolen due to another major company's negligence in simple practices for the rest of their lives.

-Macon Moyer 1/24/25