Since PowerSchool revealed earlier this month that it had fallen victim to a data breach, many questions remain about the impact and implications for student and staff data in school districts that use PowerSchool’s software nationwide. 

PowerSchool is expected to release a report soon based on findings from CrowdStrike, a cybersecurity company investigating the situation. Information from that report will be shared directly with PowerSchool customers, a company spokesperson told K-12 Dive in an email Friday. 

The K-12 software company told K-12 Dive earlier this month that it became aware on Dec. 28 of what it called a “potential” cybersecurity incident in which a threat actor gained unauthorized access to an unknown amount of student and staff data from its PowerSource service. PowerSource is a customer support portal for district and school staff.

The threat actor is believed to have stolen data from two tables containing family and teacher information from PowerSchool’s Student Information System database. Some of that data may include personally identifiable information like names and addresses of families and educators. In some cases, information such as Social Security numbers and medical data were also exposed.

A lack of cyber hygiene?

While PowerSchool told K-12 Dive the incident was not a ransomware attack, a news report from Bleeping Computer said the software company’s FAQ page for customers acknowledged that it paid the threat actor following the data breach. When K-12 Dive previously asked PowerSchool if the company had paid the threat actor, a spokesperson said: “We have taken all appropriate steps to prevent the data involved from further unauthorized misuse. The incident is contained and we do not anticipate the data being shared or made public.”

In a Jan. 15 webinar, national school cybersecurity nonprofit K12 Security Information eXchange invited cybersecurity experts to share reactions and next steps for school districts following the PowerSchool data breach. Doug Levin, co-founder and national director of K12 SIX, said during the webinar that any kind of payment to a threat actor via extortion imperils the education sector.

“It encourages malicious actors to continue to target us and try to extort us, either by using encryption to lock up our devices or stealing our data and trying to extort us to keep it from being leaked,” Levin said.

Levin added there’s no guarantee that any stolen data won’t be further exploited and shared even if an organization pays a bad actor not to release it on the dark web. “I think it's certainly possible that it could show up there and be released at some point in the future, or it could be used to target individual teachers and students directly via phishing or social engineering,” Levin said.

The FBI also strongly discourages victims of ransomware attacks from paying hackers for reasons similar to those Levin shared.

Speakers on the webinar also raised questions about whether PowerSchool used multifactor authentication for its PowerSource service before the data breach.

While PowerSchool’s internal systems use multifactor authentication, the infiltrated PowerSource system did not have multifactor authentication support, a company spokesperson told K-12 Dive on Friday. However, PowerSchool said that has since been addressed through its remediation plan. 

Wesley Lombardo, technology director at Tennessee's Maryville City Schools, told the webinar that there’s no reason a single user should be able to access all student and teacher data from every available school district. PowerSchool’s lack of cyberhygiene is “pretty concerning,” he said.

“I feel like there were failures kind of along the way of places where they could have maybe not have stopped that initial access, but definitely as soon as the exfiltration started, [there] should have been bells and whistles and all kinds of things kind of alerting that something was amiss,” Lombardo said.

Student data privacy violations?

Since the PowerSchool data breach came to light, at least four class action lawsuits have been filed against the company.

One of these more recent class action lawsuits was filed Friday in U.S. District Court of the Eastern District of California on behalf of a parent, Shandrelle Okoni, who claims her children were impacted by the incident. The lawsuit alleges that PowerSchool was negligent during the cyberattack and that the data breach impacted over 60 million teachers and students.

Additionally, the lawsuit claims PowerSchool failed to provide timely notice to users who were affected, consequently taking away their ability to protect themselves. 

“We live in a world where these EdTech companies are an inextricable part of our kids’ school experiences. Kids don’t get to consent to using this software, and parents basically don’t have a choice about whether their kids use it,” said a statement from attorneys John Morgan and Ryan McGee of law firm Morgan & Morgan, which is representing the plaintiffs. “And yet, PowerSchool, which houses the personal information of students and teachers across North America, allegedly failed to safeguard this sensitive data, exposing the information, safety and privacy of millions of children.” 

As more details have come out, “it became clear how egregious this was in terms of the decisions that were made before the breach occurred,” said Amelia Vance, founder and president of the Public Interest Privacy Center, during the K12 SIX webinar. 

“The legal obligations here are clear, the security requirements that they were missing have been standard and are codified in multiple laws,” Vance said. 

PowerSchool is among those that have signed national ed tech data privacy pledges with the Cybersecurity and Infrastructure Security Agency, as well as the Future of Privacy Forum and the Software & Information Industry Association.

As a result of the breach, the status of PowerSchool’s pledge with the Future of Privacy Forum is “under review,” according to the Future of Privacy Forum. A final decision was expected within 30 days from Jan. 14. 

“We have been reviewing the press reports of the PowerSchool data breach and potential violations of the company’s Student Privacy Pledge commitments, with particular attention to the commitment to maintain a comprehensive security plan,” a Jan. 14 statement from Future of Privacy Forum read.

Thorin Klosowski, a security and privacy activist at the Electronic Frontier Foundation, said in an email that ed tech vendors like PowerSchool are storing data for as long as they possibly can, which makes them vulnerable to having their data stolen.

“If companies like PowerSchool practiced a privacy-first approach and focused on data minimization, only collecting and storing what they absolutely need to provide the services they promise, many data breaches would be far less harmful to the victims,” Klosowski said.