Threat actors accessed the customer support portal of education tech giant PowerSchool several months before the massive December 2024 data breach, cybersecurity firm CrowdStrike says.
In January, PowerSchool revealed that hackers had stolen personal information from its Student Information System (SIS) environments, which were accessed through the PowerSource community-focused customer support portal.
Using compromised credentials for a maintenance account, the hackers stole names, contact details, dates of birth, medical information, Social Security numbers, and other information of both students and educators.
PowerSchool has not shared information on the number of potentially impacted individuals, but multiple school districts in the US and Canada said that the attackers stole all their historical data from the SIS service and reports suggest that roughly 70 million people might be affected.
A fresh CrowdStrike report (PDF) summarizing the findings of their investigation into the incident does not clarify how many individuals had their personal information stolen, but shows that the data has not appeared on sale on the dark web.
As the Menlo Park City School District (MPCSD) pointed out in a January incident notice, it may be because PowerSchool engaged with CyberSteward to negotiate with the hackers and likely paid a ransom to ensure that the data is not leaked publicly.
CrowdStrike’s report also confirms that the attackers used compromised credentials for a maintenance account to access PowerSchool’s SIS service through the PowerSource portal, and to steal student and educator information between December 19 and December 28.
Additionally, the report shows that the same compromised credentials were used between August 16 and September 17, 2024, to access the PowerSchool PowerSource portal, but it does not link the two intrusions.
“CrowdStrike did not find sufficient evidence to attribute this activity to the threat actor responsible for the activity in December 2024. The available SIS log data did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data,” the report reads.
CrowdStrike found no evidence of unauthorized activity in PowerSchool’s environment after December 28, of a malware infection, of system compromise, or of other PowerSchool customer IT environments being accessed or at risk of compromise.
“CrowdStrike did not identify any new or concerning findings beyond what we already shared,” PowerSchool notes in a March 7 update to its incident notice.
Related: Many Schools Report Data Breach After Retirement Services Firm Hit by Ransomware
Related: HPE Says Personal Information Stolen in 2023 Russian Hack
Related: New York Sues Insurance Giant Over Data Breaches
Related: 18,000 Organizations Impacted by NTT Com Data Breach