PowerSchool's 'Trust the Hackers' Response Flunks Cyber Test
A recent massive EdTech data breach has exposed the fragility of digital era private equity M&A, public-corporate partnership risks, vendor reliability, and real cyber readiness capability deficits. The breach, which compromised sensitive student and teacher data from over 62 million students and 9.5 million teachers globally, serves as a stark reminder of the ever-evolving nature of cyber threats.
A Harrowing Breach: PowerSchool's Data Compromised
In December 2024, hackers gained access to PowerSchool's systems, gaining control over sensitive data from over 62 million students and 9.5 million teachers globally. The breach was a stark contrast to the company's previous response, which some might call "Trust the Hackers." In an internal letter, PowerSchool claimed that they had received assurances from the threat actor that the data had been deleted and no additional copies existed. This response, however, has been met with skepticism by many in the cybersecurity community.
A Compromised System: Schoology Maker's Dark Secret
Two months after the initial breach, Crowdstrike's forensic report revealed unauthorized activity on PowerSchool's systems dating back to at least August 2024. The report found that hackers used compromised credentials in both breaches, highlighting a lack of robust security measures in place. This finding has significant implications for school districts and their reliance on third-party vendors like PowerSchool.
Implications Beyond Local Teacher Lounges
The breach has far-reaching consequences, not limited to the EdTech industry. A recent example can be seen in PE-backed healthcare, where vulnerabilities were recently exposed. The incident raises questions about when a breach becomes "our" problem – a question that school districts must answer.
The Cost of Inaction: Cyber Danger Accelerates
Cyber danger is on the rise, with ransomware attacks on the increase. According to an NCC group report, the number of ransomware attacks at the end of 2024 was the highest of any month since it started tracking such activity in 2021. KnowBe4 reported record levels of insurance claims and costs for cyber hits in 2024, with severity increasing by 17% compared to 2023.
A Call to Action: Cyber Readiness Agenda
The PowerSchool breach highlights the need for a comprehensive cyber readiness agenda. Shay Colson, managing partner at Intentional Cybersecurity, emphasizes the importance of leaders addressing critical questions about their vendor reliance. "Tackling these issues in real-time with no preparation is frankly overwhelming," he warns.
Three Critical Questions to Ask About Vendor Reliance
To address the growing threat landscape, Colson recommends that leaders ask three critical cyber readiness questions:
1. What are our most sensitive data assets, and how do we protect them? 2. Who has access to these assets, and how can we ensure only authorized personnel have access? 3. How will we respond in the event of a breach or compromise?
A Roadmap for Cyber Readiness
Colson concludes that "it's going to be rough in 2025" without a concerted effort to build defensible, communicable security programs. The sooner organizations focus on building robust cyber defenses, the better chance they have to mitigate the risk of breaches and protect sensitive data.
Conclusion
The PowerSchool breach serves as a wake-up call for organizations across various industries to prioritize cyber readiness. By asking critical questions about vendor reliance and taking proactive steps to address vulnerabilities, leaders can reduce the risk of breaches and ensure that their organization is better equipped to handle the ever-evolving nature of cyber threats.