PowerSchool Was Compromised Months Before Data Breach

PowerSchool, a major provider of education software solutions, was compromised months before its December 2024 data breach, according to a forensic investigation by cybersecurity firm CrowdStrike.

The company had initially reported that hackers gained unauthorized access between December 19 and December 28, 2024. However, findings now show that attackers had infiltrated the system as early as August 16, 2024, using the same compromised credentials later used in the December breach.

The breach affected millions of students, teachers, and school staff members. While PowerSchool has not provided an exact number, sources suggest that as many as 72 million individuals were impacted.

Sensitive data, including full names, addresses, Social Security numbers, medical records, and student grades, were exposed. CrowdStrike’s report confirms that attackers accessed PowerSchool’s PowerSource customer support portal, which provided a maintenance tool that allowed the hackers to reach school databases.

TechCrunch reports that the investigation found no evidence linking the August and December intrusions to the same hacker, as PowerSchool's system logs did not retain enough data. However, CrowdStrike noted that had the company updated or revoked the compromised credentials after the initial breach, the December attack could have been prevented. “The available SIS log data did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data,” the report stated.

The hackers leveraged the same support credentials in both incidents, highlighting concerns over PowerSchool’s security measures. Despite acknowledging the investigation’s findings, the company has remained silent on whether it was aware of the August intrusion before CrowdStrike’s report. The lack of transparency has raised questions about PowerSchool’s handling of the breach and its response to security threats.

As of February 28, 2025, dark web monitoring showed no signs of the stolen data being publicly leaked. According to an FAQ written by PowerSchool, the company paid a ransom to prevent the stolen data from being leaked, with threat actors allegedly sharing a video that showed the data being deleted.

The breach impacted over 6,500 school districts across the US, Canada, and other countries, making it one of the largest educational data breaches in history.

While investigations continue, cybersecurity experts stress the importance of proactive security measures. The failure to secure compromised credentials after the initial breach left PowerSchool vulnerable to a second attack, demonstrating the risks of inadequate cybersecurity practices.