PowerSchool data breach investigation reveals earlier security breach

PowerSchool has published a long-anticipated investigation by cybersecurity firm CrowdStrike, shedding light on the massive December 2024 data breach that compromised sensitive student and teacher information. The findings reveal that the breach was preceded by earlier intrusions in August and September 2024, underscoring the scale of the security lapse.

PowerSchool, a leading cloud-based K-12 software provider, serves over 60 million students and 18,000 educational institutions globally. The company offers a range of solutions, including enrollment management, communication tools, attendance tracking, staff management, learning analytics, and financial services. In December 2024, PowerSchool disclosed that hackers had infiltrated its customer support portal, PowerSource, exploiting a remote maintenance tool to access customer databases. The stolen data included full names, physical addresses, contact details, Social Security numbers (SSNs), medical records, and academic grades.

Although PowerSchool has not officially confirmed the total number of affected individuals, cybersecurity news outlet BleepingComputer previously reported that the threat actors claimed to have stolen the data of 72 million people, including students and educators. The recently released CrowdStrike report, dated February 28, 2025, provides crucial insights into the attack’s timeline and execution.

According to CrowdStrike, hackers first accessed PowerSource in August 2024 using compromised support credentials. They then re-entered the system in September before executing the large-scale data exfiltration in December. The attackers maintained unauthorized access between December 19 and December 28, 2024, extracting sensitive data from PowerSchool’s systems. However, CrowdStrike found no evidence that malware had been deployed, nor that the hackers escalated privileges or moved laterally within PowerSchool’s network to compromise additional databases.

The report also suggests that, as of January 2, 2025, the stolen data had not surfaced on the dark web, indicating that an extortion demand may have been paid to prevent its release. Nevertheless, the perpetrators’ identities remain unclear. While the same compromised credentials were used in the earlier August and September breaches, there is insufficient data to determine whether the same individuals carried out the December attack.

Despite the severity of the breach, PowerSchool has yet to disclose the full scope of the impact publicly. This lack of transparency has raised concerns among affected institutions and security experts. However, sources cited by BleepingComputer claim that the breach impacted 6,505 school districts across the United States, Canada, and other countries, affecting approximately 62.5 million students and 9.5 million teachers.