Security Intelligence
Loading table of contents...
Loading table of contents...
The data of 2,488,628 students and 9,506,624 teachers from 6,505 school districts in the US, Canada, and other countries has been breached, according to the threat actor responsible for the recent compromise of PowerSchool.
PowerSchool is a popular solution thousands of schools use to manage student enrollment, communication, staffing, and finance functions. PowerSchool first reported the breach on January 7, 2025, revealing that a threat actor had used stolen credentials to access the company's PowerSource customer support portal, and then downloaded student and teacher data from their respective districts' PowerSIS databases.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
PowerSchool has confirmed that it paid the ransom to ensure the breached data, which includes personal information, Social Security Numbers, and grades, isn’t publicly disclosed or sold to other threat actors.
PowerSchool has advised that it believes over 75% of the individuals affected by the breach did not have Social Security Numbers exfiltrated. PowerSchool has offered all impacted students and teachers two years of free identity protection and credit monitoring services to reduce their risk.
Source: Bleeping Computer
Analysis
While every breach scenario is different, it’s generally not advised to pay ransom to cybercriminals in exchange for the non-disclosure of breached data as it does not guarantee the protection of sensitive information. Often, attackers simply retain the stolen data and may resell or expose it later, leaving organizations at risk of a second breach.
Furthermore, paying the ransom fuels criminal activity, emboldening the attackers to continue targeting other organizations. Complying with ransom demands essentially encourages more attacks, contributing to the broader cybersecurity threat landscape.
Organizations should instead focus on improving their defenses, engaging law enforcement, and leveraging cybersecurity experts to handle the breach, as paying the ransom rarely leads to a satisfactory resolution and can perpetuate the cycle of cybercrime.
The PowerSchool breach underscores the critical need for organizations to implement a robust dark web monitoring capability, like that included in Field Effect MDR Complete, to detect and prevent the exposure of sensitive data.
In this case, the attackers gained initial access to PowerSchool’s systems through stolen credentials, which could have been identified and mitigated early with proactive dark web monitoring. Such a service would have flagged the compromised credentials as they were being traded or sold on the dark web, enabling the organization to act swiftly and potentially prevent the attack.
Additionally, after the breach, dark web monitoring could detect any leaked personal information belonging to students/teachers, mitigating the impact of the breached data. This type of continuous monitoring is highly effective in safeguarding sensitive information and providing a critical layer of defense against data theft and subsequent exposure.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor for threats emanating from breaches like that suffered by PowerSchool.
Field Effect MDR Complete users will be automatically notified if any of their personal information is disclosed as a result of this breach and are encouraged to review any related AROs and/or monthly dark web monitoring reports via the Field Effect portal as soon as possible.
To counter the threat posed by leaked credentials and other sensitive and personal information, Field Effect strongly encourages organizations to implement a dark web monitoring capability.
