Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A Cyber attack and data breach at US edtech giant PowerSchool Discovered on December 28, it threatens to expose the personal information of tens of millions of schoolchildren and teachers.
PowerSchool told customers the breach was related to the compromise of a subcontractor’s account. TechCrunch learned this week of a separate security incident involving a PowerSchool software engineer whose computer was infected with malware that stole company credentials prior to the cyberattack.
It is unlikely that the subcontractor listed by PowerSchool and the engineer identified by TechCrunch are the same person. The engineer’s credential theft raises doubts about security practices at PowerSchool, which was acquired by private equity giant Bain Capital. signed a $5.6 billion contract last year.
PowerSchool has publicly shared only a few details about the cyberattack as affected school districts begin to notify their students and teachers about the data breach. Its school records software is used by 18,000 schools in North America to support more than 60 million students, according to the company’s website.
In a communication shared with their clients last week and PowerSchool, reviewed by TechCrunch, confirmed that unnamed hackers stole “sensitive personal information” about students and teachers, including some students’ Social Security numbers, grades, demographics and medical information. PowerSchool has not yet said how many customers were affected by the cyber attack, but several school districts that were breached told TechCrunch that their records show. hackers stole “all” of their historical student and teacher data.
A person who works for the affected school district told TechCrunch that they have evidence that highly sensitive information about students was leaked during the breach. The person gave examples such as information about parents’ access rights to their children, including restraining orders and information about when certain students must take their medication. Other people at the affected school districts told TechCrunch that the data stolen would depend on what each individual school added to their PowerSchool systems.
According to sources who spoke to TechCrunch, PowerSchool told its customers that hackers accessed the company’s systems using a compromised technical account associated with a technical support subcontractor to PowerSchool. On it event page PowerSchool, which launched this week, said it detected unauthorized access on one of its customer support portals.
PowerSchool spokeswoman Beth Keebler confirmed to TechCrunch on Friday that the account used by the subcontractor to breach the customer support portal was not protected by multi-factor authentication. PowerSchool said the MFA has been rolling out ever since.
PowerSchool is working with incident response firm CrowdStrike to investigate the breach, and a report is expected to be released as soon as Friday. When reached by email, CrowdStrike deferred comment to PowerSchool.
Keebler told TechCrunch that the company “cannot verify the integrity” of our report. “CrowdStrike’s initial analysis and findings show no evidence of system-layer access or any malware, viruses or backdoors associated with this incident,” Keebler told TechCrunch. PowerSchool wouldn’t say whether it received the report from CrowdStrike, and it wouldn’t say if it plans to make its findings public.
PowerSchool said its review of the excluded data is ongoing and did not provide an estimate of the number of students and teachers whose data was affected.
PowerSchool passwords stolen by malware
According to a source with knowledge of cybercrime operations, logs obtained from the computer of an engineer working for PowerSchool show that their device was hacked by the prolific LummaC2. data-stealing malware before a cyber attack.
It is unclear when exactly the malware was installed. The passwords were stolen from the engineer’s computer on or before January 2024, the source said.
Data theft has become an increasingly effective route for hackers to break into companies, especially with the rise of remote and hybrid work, which often allows employees to use their personal devices to access work accounts. As Wired explainsthis creates opportunities for malware to be installed on someone’s home computer that steals data, yet the employee gets their corporate login credentials as they log into their work systems.
A cache of LummaC2 logs seen by TechCrunch includes the engineer’s passwords, browsing history from their two web browsers, and a file containing identifiable and technical information about the engineer’s computer.
Some of the stolen credentials appear to be related to PowerSchool’s internal systems.
The records show that the malware extracted the engineer’s saved passwords and browsing history from their Google Chrome and Microsoft Edge browsers. The malware then uploaded a cache of logs, including the engineer’s stolen credentials, to servers controlled by the malware’s operator. From there, the credentials were shared with the wider online community, including closed cybercrime-focused Telegram groups where corporate account passwords and credentials are sold and traded among cybercriminals.
The malware logs contain engineering passwords for PowerSchool’s source code repositories, the Slack messaging platform, a Jira instance for bug and issue tracking, and other internal systems. The engineer’s browsing history also shows that they had extensive access to their PowerSchool account on Amazon Web Services, including full access to the company’s AWS-hosted S3 cloud storage servers.
We are not naming the engineer because there is no evidence that they did anything wrong. as We have already mentioned violations in similar circumstancesit is the responsibility of companies to implement safeguards and implement security policies that prevent intrusions resulting from the theft of employee credentials.
When asked by TechCrunch, PowerSchool’s Keebler said that the person whose credentials were used to breach PowerSchool’s systems did not have access to AWS and that PowerSchool’s internal systems, including Slack and AWS, are protected by MFA.
The engineer’s computer also stored several sets of credentials belonging to other PowerSchool employees, which TechCrunch saw. Credentials allow similar access to the company’s Slack, source code repositories, and other internal company systems.
Many of the dozens of PowerSchool credentials we saw in magazines were short and simple in complexity, and some consisted of just a few letters and numbers. According to Have I Been Pwned, several account passwords used by PowerSchool matched credentials that had already been compromised in previous data breaches. updates the list of stolen passwords.
TechCrunch has not tested stolen usernames and passwords on any PowerSchool systems, as that would be illegal. Thus, it is impossible to determine whether any of the credentials are still in active use or whether any are protected by the MFA.
PowerSchool said it could not comment on the passwords without seeing them. (TechCrunch has withheld the credentials of the hacked engineer to protect his identity.) The company said. “has robust protocols for password security, including minimum length and complexity requirements, and passwords rotate according to NIST recommendations.” Following the breach, the company said it “conducted a full password reset and tightened password and access controls for all PowerSource customer support portal accounts,” citing PowerSchool’s compromised customer support portal.
PowerSchool said it uses single sign-on technology and MFA for both employees and contractors. Contractors are given access to laptops or a virtual desktop environment with security controls such as anti-malware and a VPN to connect to the company’s systems, the company said.
Questions remain about PowerSchool’s data breach and subsequent handling of the incident, as affected school districts continue to assess how many of their current and former students and employees had their personal information stolen during the breach.
Employees of school districts affected by the PowerSchool breach tell TechCrunch that they are relying on fundraising efforts from other school districts and customers to help administrators search for evidence of data theft in PowerSchool log files.
At the time of publication, PowerSchool’s documentation regarding the breach was not available without customer access to the company’s website.
Carly Page contributed reporting.
Zack Whittaker can be reached securely on Signal and WhatsApp at +1 646-755-8849 and Carly Page can be reached securely on Signal at +44 1536 853968. You can also share documents securely through TechCrunch. SecureDrop.
