Cyber Alert: PowerSchool K-12 Education and Student Information System (SIS) Software Breach

Listen to the Audio Version:

Managing cyber risk for our clients involves more than just facilitating insurance transactions. In light of the recent cyber incident related to the PowerSchool K-12 education and student information system (SIS) software, we are sharing actionable insights to help your organization safeguard its data and prevent potential exfiltration.

What’s Happening?
In communications to its customers, PowerSchool disclosed a cybersecurity breach on January 7, 2025. The company stated that it discovered the breach December 28, 2024. PowerSchool explained that customer data stored within its SIS platform was stolen through their PowerSource support portal.

PowerSchool SIS is a student information system utilized by many K-12 schools for managing grades, attendance, enrollment and other student records.

According to PowerSchool, the cyber threat actors accessed the PowerSource portal using compromised credentials, and used a data export utility to exfiltrate the data out of the PowerSchool network.

PowerSchool clarified that this incident was not the result of ransomware or software vulnerabilities, but rather a straightforward network intrusion. To address the breach, the company has engaged a third-party cybersecurity firm to investigate the incident, determine the cause and identify those affected.

According to PowerSource, their portal includes a feature that allows PowerSchool technical personnel to access customer systems for support and troubleshooting. The attacker exploited this feature to export the PowerSchool SIS database tables to a CSV file, which was then exfiltrated outside of the PowerSchool network.

PowerSchool expressed that the stolen data primarily includes elements such as names and addresses. PowerSchool went on to state that compromised data may also include more sensitive information, such as Social Security numbers, personally identifiable information, health or medical information and academic records.

PowerSchool noted that customer-specific credentials and technical support information were not compromised during the breach. PowerSchool emphasized that not all SIS customers were impacted and they expect only a subset of customers will need to notify those affected.

"We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination," PowerSchool told customers in a notice. "We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts."

PowerSchool said affected adults will be offered free credit monitoring, while minors will receive subscriptions to an unspecified identity protection service.

What Actions Should My Organization Consider Taking Right Now?
Organizations that utilize PowerSchool software and solutions should contact PowerSchool to confirm if their data was compromised. 

Once an organization confirms they were impacted by this incident, they should then take appropriate actions, including contacting their cyber insurance broker and potentially notifying their cyber insurance carrier.

What if I Discover That Our Data Has Been Exfiltrated as a Result of This Incident?
If your organization believes it has been affected by this cyber breach, then the organization should take several prudent steps, including invoking its cyber incident response plan and consulting with legal counsel, organizational cyber and IT leaders, risk management and other critical internal business leaders and stakeholders. Should you need to report a cyber claim for a loss arising out of this or any potential cyber incident, please contact your Alliant Cyber service team. We can assist you with providing notification to the appropriate insurers and put you in touch with qualified incident response vendors.

Additional Cyber Risk Management & Security Best Practices
Given the applicability and potential impacts of the PowerSchool cyber incident, Alliant Cyber encourages all organizations to take the time to assess their overall cyber risk management and security hygiene and readiness. Alliant Cyber suggests organizations consider taking the following action items now, with the goal of optimizing cyber resilience:

• Contact your cyber insurance broker, and review coverages, limits, retention, exclusions and new developments in cyber insurance requirements.
• Conduct targeted assessments of key third parties, with a focus on those that host or process sensitive or regulated data. Ensure that appropriate controls are in place for higher-risk providers.
• Conduct a comprehensive vulnerability scan and analysis exercise across the environment. Prioritize results and remediate/mitigate any significant findings.
• Conduct dark web scanning & analysis to identify indications of data leak or compromise.
• Review, validate and update existing cyber incident response plans and procedures to help ensure that the organization is truly prepared for a potential cyber attack or incident.
• Review network security and update network firewall rules to only allow connections to infrastructure such as MOVEit Transfer from known trusted IP addresses.
• Review and remove any unauthorized user accounts across key infrastructure and application platforms.
• Update remote access policies and security configurations to only allow inbound connections from known and trusted systems.
• Enable multi-factor authentication (MFA). MFA protects IT infrastructure and applications like MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen or compromised.