PowerSchool Breach Incident Score: Analysis & Impact (POW1393613112025)

In this Rankiteo incident briefing, we review the PowerSchool breach identified under incident ID POW1393613112025.

The analysis begins with a detailed overview of PowerSchool's information like the linkedin page: https://www.linkedin.com/company/powerschool-group-llc, the number of followers: 150832, the industry type: E-Learning Providers and the number of employees: 3508 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 100 and after the incident was 100 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on PowerSchool and their customers.

On 07 January 2025, PowerSchool disclosed Data Breach, Cyber Extortion and Unauthorized Access issues under the banner "PowerSchool Data Breach Affecting Canadian Public Schools".

A major data breach impacted Canadian public schools, particularly in Ontario and Alberta, due to vulnerabilities in PowerSchool's student information system (SIS) and customer support portal (PowerSource).

The disruption is felt across the environment, affecting PowerSchool Student Information System (SIS) and PowerSource (Customer Support Portal), and exposing True, with nearly 5,200,000 (Canada-wide) records at risk.

In response, and began remediation that includes Review and renegotiation of PowerSchool contracts, Implementation of stricter remote access policies ('as-needed' basis) and Enhanced oversight of PowerSchool's security safeguards, and stakeholders are being briefed through Public disclosures by privacy commissioners, Press releases and Recommendations for school boards.

The case underscores how Completed (Reports published by Ontario and Alberta Privacy Commissioners), teams are taking away lessons such as Educational institutions must include robust privacy and security provisions in third-party vendor contracts, Multi-factor authentication (MFA) and access controls are critical for protecting sensitive data and 'Always-on' remote access features pose significant security risks and should be restricted, and recommending next steps like Review and renegotiate agreements with PowerSchool to include privacy and security-related provisions, Limit remote access to student information systems to an 'as-needed' basis and Implement and enforce multi-factor authentication (MFA) for all systems handling sensitive data, with advisories going out to stakeholders covering Privacy commissioners urged school boards to renegotiate PowerSchool contracts and Alberta Education Minister pledged closer collaboration with school boards to improve cybersecurity.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including compromised credentials, allowing a threat actor to access its student information system (SIS) and customer support portal (PowerSource), and entry point such as Compromised credentials for PowerSchools SIS and PowerSource portal and External Remote Services (T1133) with high confidence (90%), with evidence including exploiting an ‘always-on’ remote maintenance feature left unsecured by school boards, and exploitation of Always-On Remote Access Feature. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (85%), with evidence including lack of Multi-Factor Authentication (MFA), and compromised credentials implying poor credential hygiene/storage. Under the Persistence tactic, the analysis identified External Remote Services (T1133) with moderate to high confidence (85%), with evidence including ‘always-on’ remote maintenance feature left unsecured, and use of always-on remote access, providing an open gateway for threat actors. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (75%), with evidence including lack of multi-factor authentication (MFA), and poor oversight of PowerSchool’s security measures (implied disabling of security controls). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including exfiltrated sensitive records from SIS databases, and personal data of students, parents, and staff compromised. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), with evidence including exfiltrated sensitive records (method not specified, but implied via unsecured remote access), and data exfiltration such as true. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (30%), supported by evidence indicating cyber Extortion motivation (though no ransomware strain confirmed) and Data Theft (T1659) with high confidence (100%), with evidence including exfiltrated sensitive records, data exfiltration such as true, and 5.2 million Canadians personal data exposed. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.