Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
No more pencils, no more books—your info has been hacked by crooks.
A Dec. 28 attack on software solutions provider PowerSchool, which works with K–12 districts around the US, resulted in the breach of data of a number of students. The attack was due to compromised credentials, PowerSchool wrote in a statement via Director of Communication Melissa Wenzel.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource,” Wenzel said. “PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.”
No class. The potential pool of victims, Saviynt Chief Trust Officer Jim Routh told IT Brew in an email, is 50 million students. Because of the nature of the attack—the compromised credentials—the first lesson for organizations is to “increase cyber resilience against threat actors attempting to gain privileged access using compromised user/consumer credentials,” Routh wrote via PR rep Tila Pacheco.
“A secondary lesson learned from this incident is the need for cloud service providers to reduce the use of passwords that can be compromised,” he added.
Data breaches affecting students are of particular concern as the victims are often minors and thus generally less likely to notice when their Social Security numbers are used to open fraudulent accounts or their credit is compromised. Mark Beare, Malwarebytes GM of the global consumer unit, wrote in August 2024 that after his daughter had her information leaked in a medical company breach, he reviewed the ways to protect her. Among the recommendations were to freeze credit, squat on digital assets, and ensure passwords are protected.
No principals. But while that’s helpful on the individual level, it’s less helpful for a major breach like at PowerSchool. The company said it was taking action.
“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts,” Wenzel told IT Brew.
Districts like New Jersey’s South Orange-Maplewood rushed to reassure parents and other community members that they were taking steps to ensure the safety of their children’s data. In a letter, Superintendent Jason Bing said that “PowerSchool is preparing resources to help families understand what happened, including FAQs, talking points, and webinars with their experts.”
“We are working closely with PowerSchool to ensure your information remains protected moving forward,” Bing wrote. “Independent of forthcoming PowerSchool actions, SOMSD has generated new API credentials for data access to PowerSchool for key third-party data access.”
South Orange-Maplewood Director of Communications Eshaya Draper declined to comment further.