Yesterday, PowerSchool disclosed that on December 28, it had become aware of a data breach that affected some, but not all, of its PowerSchool clients. PowerSchool Student Information System (SIS) is used by school districts worldwide to help schools manage student educational records including grades, attendance, and enrollment.
Emails were sent to all PowerSchool clients yesterday. One version was sent to districts for whom PowerSchool had not found evidence that they were affected. The other email was sent to those whose data had been compromised. Copies of both versions were seen by DataBreaches.
PowerSchool’s notices stressed that no other products were affected. The notice to affected customers began:
As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.
PowerSchool is conducting webinars today and tomorrow to provide additional information and support to clients.
Of particular note in their preliminary notification is that it appears PowerSchool paid the threat actor(s) to delete the stolen data. In a customer FAQ that was stamped “Confidential” but has already been quoted online elsewhere, PowerSchool claims:
Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience any operational disruption and continues to provide services as normal to our customers.
We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.
Do they really believe that? Threat actors often offer to show their victims a real-time video of data deletion after payment, claiming that they wouldn’t lie about a data deletion assurance because their reputation depends on them keeping their word. Yet law enforcement has repeatedly found and reported evidence that datasets that were allegedly deleted had not been deleted, and that other copies had been saved by the threat actors.
SysAdmins Help Each Other
In the absence of details in its initial disclosure, a Reddit thread focused on what evidence district sysadmins could find in their logs. As @tcourtney22 wrote:
I found two correlated exports involving the maintenance account (200A0), backed by the following logs:
• ps-log-audit.4.log
• mass-data-import-export-2024-12-22-1.log
- 12/22/2024 at 4:56 AM → Dumped the Students Table.2024-12-22 04:57:39,551 Module: Students Export ID: 17348520 User ID: 0 Total Records: 17430 Total of Bytes Exported: 15735187 Total Elapsed Time: 0 Hours 0 Minutes 41 Seconds
- 12/22/2024 at 8:18 PM → Dumped the Teachers Table.Module: Teachers Export ID: 17348537 User ID: 0 Total Records: 4635 Total of Bytes Exported: 1318854 Total Elapsed Time: 0 Hours 0 Minutes 4 Seconds
The unusual part is that we shouldn’t have imports/exports like these running at such odd hours, especially on a Sunday. Adding to the concern, the IP address logged (91.218.50.11) is registered in Ukraine.
Now, if this doesn’t indicate an issue, then it’s one heck of a coincidence.
Looking back at the logs, there was no activity from this account in mid-December until 12/20/2024, when there was a significant spike in activity. It’s possible this was reconnaissance before the export, but that’s just speculation for now.
The maintenance user shows up as 200A0 in the ps-log-audit files.
Those same findings were also found and reported by other sysadmins in that thread. So it appears that the exfiltration began on December 22, was associated with an IP address in Ukraine that belongs to Virtual Systems LLC, and the maintenance user never logged out.
So Many Unanswered Questions as Yet
DataBreaches did not disclose anything publicly until now so as not to interfere with any investigation, but through multiple sources, DataBreaches and the FBI had previously been made aware of a campaign to attack PowerSchool and to extort them.
DataBreaches sent PowerSchool a list of questions last night. There has been no reply, at least as yet. Some of the questions have since been answered by others, but are repeated below anyway for context. Those attending the webinar may wish to pose the as-yet unanswered questions to PowerSchool:
I don’t know who you are but thank you for reporting this. No other news sources are reporting this was out of Ukraine and it’s absolutely asinine. They have the IP address of the server it was done out of and we have active military there but nobody seems to be kicking a door in? Why? This is absolutely ridiculous. They’ve already brokered a deal with these thieves and we’re supposed to explain to parents on their behalf that they’ve promised it’s been deleted? They can’t promise that and we can’t either. Everyone involved knows that. So sick of this. I’m from a school district that’s been affected. From other reports and posts on X, looks like there are many.
Are they telling you exactly what details and students and which parents and which teachers have to be notified or not yet?
We’re still doing our preliminary audit of things to find out this information all on our own internally with recommendations that aren’t even officially from PowerSchool but another customer praise God for them too otherwise we’d really be chasing needles in haystacks.
You lookup the IP of the server the bad actors used (91.218.50.11) and it all checks out as verified I’ve not found data on a single reputation site that suggests otherwise.
According to Cisco Talos there’s no history of a threat and it’s on no block lists. We’re hosted so it’s tied our hands even more than those who are self-hosted and can block connections via country of origin etc.
My question is why in the “H-E-DOUBLE-L” was PowerSchool not blocking incoming connections to POWERSOURCE from Ukraine of all countries? And they seriously expect us to ever believe their hosted solutions are more secure ever again?
There’s supposed to be a webinar hosted by PowerSchool later today apparently
I think a lot of people will be asking why PowerSchool didn’t block at the firewall based on geo-location.
I’m not a security professional, but I’d also like to know how this threat actor got access. Even if there was a stolen credential via an infostealer or phishing attack, wasn’t there 2FA or MFA? If there was, how did the attacker bypass it?
And did alarms go off as data was being exfiltrated? If alarms were going off, were they responded to at all before December 28?
So many questions…..
Great article of information. We are a PS client and they host our information. This breach is not good for anyone. I appreciate the article I will be on the webinar tomorrow to find out why the breach happened and how it was accessed.
They verified that it was compromised employee credentials used to access PowerSource then they used a script to pull data from SIS instances (which means they knew database schema and design ahead of time) via the “Management” tunnel so no you are correct evidently MFA was *not* implemented this was the first question we asked as well – wouldn’t this be the first place you would implement it? It begs and demands so many questions
Also asked the Ukraine question in the context of blocking incoming connections from known regions outside the USA – do not remember getting an answer it’s probably forbidden to consider because of the religion of political correctness
Supposedly there will be a FAQ posted soon they had “thousands” of questions by the end of the Q&A
VSYS (the host at the IP address) is simply a hosting firm. Anyone can get an account. And UA should be motivated to cooperate with US law enforcement when they are asked for details on the account holder. But it may be a dead end unless the Cruz name was an actual employee name somewhere and not just a random moniker the threat actor picked. The good news (if there is any) is that most of these threat actors do make opsec mistakes, so at some point his connection may have dropped and he may have revealed his real IP, etc.
But none of that helps sysadmins right now, or parents or teachers. Do you have info/advice to give them re security freezes, having parents check to determine if their minor children have credit reports when they shouldn’t have them, and filing police reports and contacting banks and credit card issuers, etc.? If you need some links to use for referring to sites where they can take steps to protect themselves, let me know. And to be clear: this site doesn’t offer any services or sell any such services.
Sat in on the Powerschool information meeting. I got more info on this website.