Although the company has not officially disclosed the number of people impacted by this incident, BleepingComputer first reported that the threat actor claimed to have stolen the data of 72 million people, including students and teachers. In that report, CrowdStrike confirms that the threat actors breached PowerSchool through PowerSource using compromised credentials and maintained their access between December 19, 2024, 19:43:14 UTC, and December 28, 2024, 06:31:18 UTC. The cybersecurity firm also confirmed that the threat actor exfiltrated teachers' and students' data from the compromised systems, though it notes there's no evidence that other databases were stolen. "Beginning on August 16, 2024, at 01:27:29 UTC, PowerSource logs showed that an unknown actor successfully accessed the PowerSchool PowerSource portal using the compromised support credentials," explains CrowdStrike. This portal included a remote maintenance tool that allowed the threat actor to connect to customers' databases and steal sensitive information, including full names, physical addresses, contact information, Social Security numbers (SSNs), medical data, and grades. CrowdStrike noted that, as of January 2, 2025, its dark web intelligence showed that the threat actors kept their promise not to publish data after an extortion demand was paid, as the cybersecurity firm has not found the data offered for sale or leaked online. CrowdStrike also found that threat actors breached PowerSource even earlier than December, with the same compromised credentials used months earlier, in August and September 2024. PowerSchool has published a long-awaited CrowdStrike investigation into its massive December 2024 data breach, which determined that the company was previously hacked over 4 months earlier, in August, and then again in September. However, sources told BleepingComputer that the breach impacted 6,505 school districts in the US, Canada, and other countries, with 62,488,628 students and 9,506,624 teachers having their data stolen. Similarly, there's no evidence that malware was planted on PowerSchool systems or that the threat actor escalated their privilege, moved laterally, or downstream to customer/school systems. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. PowerSchool is a cloud-based K-12 software provider serving over 60 million students and 18,000 customers worldwide, offering enrollment, communication, attendance, staff management, learning, analytics, and finance solutions. In an update published late last week, PowerSchool shared a CrowdStrike incident report that was compiled on February 28, 2025. At this time, PowerSchool has still not officially shared the total number of impacted schools, students, or teachers, raising concerns about transparency.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 11 Mar 2025 13:45:10 +0000