Leader in Cyber Underwriting

Loading...

NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop

WindowsmacOSLinux

Analyze » PowerSchool » POW5775757112625

Incident Score: Analysis & Impact (POW5775757112625)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-294

Company Score Before Incident625 / 1000

Company Score After Incident331 / 1000

Company LinkView PowerSchool Profile

INCIDENT NUMBERPOW5775757112625

Type of Cyber IncidentRansomware

ATTACK VECTORCredential Theft (Contractor), Data Exfiltration to Leased Server, Ransom Demand

DATA EXPOSEDTrue

INCIDENT DATE31/08/2023

STATUSOngoing (Lane pleaded guilty; sentencing pending)

Key Highlights From The Incident Analysis

Timeline of PowerSchool's Ransomware and lateral movement inside company's environment.
Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
How Rankiteo’s incident engine converts technical details into a normalized incident score.
How this cyber incident impacts PowerSchool Rankiteo cyber scoring and cyber rating.
Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the PowerSchool breach identified under incident ID POW5775757112625.

The analysis begins with a detailed overview of PowerSchool's information like the linkedin page: https://www.linkedin.com/company/powerschool-group-llc, the number of followers: 159772, the industry type: E-Learning Providers and the number of employees: 3504 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 625 and after the incident was 331 with a difference of -294 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on PowerSchool and their customers.

On 07 January 2024, PowerSchool disclosed Data Breach, Ransomware and Extortion issues under the banner "PowerSchool Data Breach and Ransomware Extortion by Massachusetts College Student".

A 19-year-old Assumption College student, Matthew Lane, hacked education tech giant PowerSchool in December 2023, stealing sensitive data of tens of millions of students and teachers (including names, email addresses, phone numbers, Social Security numbers, dates of birth, med...

The disruption is felt across the environment, affecting PowerSchool internal systems and Leased external server (for data storage), and exposing True, with nearly Tens of millions (from 60M+ students and 9M+ teachers) records at risk, plus an estimated financial loss of $2.85M (ransom paid in ~30 bitcoin) + additional penalties/forfeitures (amount undisclosed).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Isolation of compromised systems (assumed) and Ransom payment to prevent data leak, and began remediation that includes Customer notifications (disclosed January 7) and Direct engagement with affected districts, and stakeholders are being briefed through Public disclosure (January 7) and Statement emphasizing commitment to customers.

The case underscores how Ongoing (Lane pleaded guilty; sentencing pending), with advisories going out to stakeholders covering PowerSchool notified customers on January 7, 2024.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including compromised contractor’s credentials in September 2023, and entry point such as Compromised contractor credentials (September 2023). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (85%), with evidence including insufficient protection of contractor credentials, and compromised contractor credentials (specific vulnerability undisclosed). Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (80%), with evidence including accessed one school district’s data initially, then exfiltrated broader data in December, and reconnaissance period such as September–December 2023. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), supported by evidence indicating lack of detection for data exfiltration over 3+ months. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with moderate to high confidence (85%), with evidence including accessed one school district’s data initially, then exfiltrated broader data, and reconnaissance period such as September–December 2023. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating stealing sensitive data of tens of millions... names, email addresses, phone numbers, SSNs, dates of birth, medical info, passwords. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration to Cloud Storage (T1048.003) with high confidence (95%), with evidence including exfiltrated sensitive data... to a leased server, and data Exfiltration to Leased Server. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate to high confidence (75%), with evidence including type such as Ransomware, and ransom demanded such as ~30 bitcoin (~$2.85M) and Data Theft for Extortion (T1659) with high confidence (95%), with evidence including demanded a ransom... threatening to leak the data globally, and extortion in type. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Sources & References

PowerSchool Rankiteo Cyber Incident Details: https://www.rankiteo.com/company/powerschool-group-llc/incident/POW5775757112625
PowerSchool CyberSecurity Rating page: https://www.rankiteo.com/company/powerschool-group-llc
PowerSchool Rankiteo Cyber Incident Blog Article: https://blog.rankiteo.com/pow5775757112625-powerschool-ransomware-september-2023/
PowerSchool CyberSecurity Score History: https://www.rankiteo.com/company/powerschool-group-llc/history
PowerSchool CyberSecurity Incident Source: https://therecord.media/college-student-to-plead-guilty-to-powerschool-hack
Rankiteo A.I CyberSecurity Rating methodology: https://www.rankiteo.com/Images/rankiteo_algo.pdf
Rankiteo TPRM Scoring methodology: https://static.rankiteo.com/model/rankiteo_tprm_methodology.pdf