Cyber Alert: PowerSchool Breach Escalates as Hackers Target Individual School Districts

Cybercriminals are constantly adapting their strategies, shifting from broad ransomware attacks to highly targeted, multi-phase extortion campaigns. A recent example is unfolding around PowerSchool, a major provider of K-12 student information systems (SIS) software, serving over 60 million students globally.

New Developments in the PowerSchool Breach
The initial PowerSchool breach has now evolved into direct extortion attempts aimed at individual school districts. This development is a powerful reminder that, to combat cybercrime, organizations must adopt proactive, adaptive cybersecurity strategies that evolve as rapidly as the threats themselves. Alliant Cyber has gathered several actionable insights to help your organization safeguard its data and prevent potential exfiltration.

How did the PowerSchool Breach Initiate?
In a concerning development following the December 2024 cyber attack on PowerSchool, hackers are now directly extorting individual school districts using data stolen during the initial breach. Despite PowerSchool's payment of a ransom, intended to ensure the deletion of the compromised data, threat actors have initiated a second wave of attacks, contacting districts across North America with demands for additional payments.

The breach was traced back to compromised credentials that granted unauthorized access to the PowerSource customer support portal. From there, attackers exploited a maintenance tool to export sensitive data, including names, contact information, dates of birth, Social Security numbers and limited medical information.

Notably, the Toronto District School Board and multiple districts in North Carolina have reported receiving extortion emails demanding Bitcoin payments in exchange for not releasing the stolen data. This tactic, known as "double extortion," involves cybercriminals leveraging previously stolen data to pressure victims into paying additional ransoms.

3 Critical Concerns From The PowerSchool Cyber Attack
This escalation underscores the persistent risks associated with cyber attacks, even after initial incidents appear to be resolved, and highlights several critical concerns:

• Questionable Effectiveness of Ransom Payments: Paying a ransom does not guarantee the deletion of stolen data. In this case, despite assurances, the data was used for further extortion.
  
  
• Supply Chain Vulnerabilities: Third-party vendors with access to sensitive information can become entry points for cyber attacks, emphasizing the need for rigorous vendor risk assessments.
  
  
• Reputational and Financial Damage: Extended breaches can erode trust and lead to significant financial losses, including costs associated with legal fees, remediation and potential regulatory fines.

What if Our Data Has Been Exfiltrated as a Result of The PowerSchool Cyber Attack?
If your organization believes it has been affected by this cyber breach, it should take several prudent steps, including invoking its cyber incident response plan and consulting with legal counsel, IT leaders, risk managers and other key internal stakeholders. Should you need to report a cyber claim for a loss arising out of this or any potential cyber incident, please contact your Alliant Cyber service team. We can assist you with providing notification to the appropriate insurers and put you in touch with qualified incident response vendors.

Additional Cyber Risk Management Best Practices
To mitigate risks and enhance cybersecurity posture, organizations should consider the following actions:

1. Implement Multi-Factor Authentication (MFA): Ensure all systems, especially those accessible by third-party vendors, require MFA to reduce the risk of unauthorized access.
   
   
2. Conduct Regular Security Audits: Regularly assess and update security protocols, focusing on access controls and data encryption.
   
   
3. Enhance Vendor Management: Develop stringent criteria for vendor selection and continuously monitor their security practices.
   
   
4. Develop Incident Response Plans: Establish and regularly update comprehensive incident response strategies to quickly address potential breaches.
   
   
5. Educate Employees: Provide ongoing training to employees about phishing attacks and other common cyber threats to foster a security-aware culture.

What if My Organization Receives an Extortion Demand from a Cyber Threat Actor?
If your organization receive an extortion demand, take the following critical steps to protect your assets:

1. Consult with key stakeholders, including professionals from legal, risk management and executive leadership.
   
   
2. Determine which relevant third parties should be contacted and/or engaged, including a breach coach/cyber counsel or law enforcement.
   
   
3. Notify your Cyber insurance broker and carrier.

Alliant Cyber navigates businesses through complex challenges like the PowerSchool breach by offering tailored risk management solutions and industry-leading guidance. Our team is dedicated to helping organizations strengthen their cybersecurity frameworks, prevent breaches and respond effectively when incidents occur.

In today’s ever-evolving cybersecurity climate, responding quickly and effectively to cyber incidents is not just recommended—it’s essential. For more information on enhancing your organization's cybersecurity posture, please contact an Alliant Cyber representative.