PowerSchool Data Breach: Our Analysis
- William Trelawny
- Jan 11
- 3 min read
source: BleepingComputer.com
Summary
PowerSchool, one of the largest "edtech" (education technology) companies in the world, suffered a costly breach that exposed sensitive data including personal and academic information of students and teachers from multiple K-12 school districts.
And while there was an aspect of ransom involved, this doesn't appear to have been a ransomware attack. The attackers used compromised credentials of a privileged user who had access to their internal tool PowerSource, exfiltrated the data, then demanded payment from PowerSchool or else they'd publish the data.
Key Takeaways
There are a few key takeaways from this breach that every business, large or small, can apply to their IT systems to help ensure this doesn't happen to them too:
Problem #1: Attackers used compromised credentials to access the backend system
Attack Vector: IDENTITY
Secure authentication is one of the most basic tenets of cybersecurity! You can have all the expensive cutting-edge detection in the world, but if a credential gets stolen then your detection tech will probably think this activity is legitimate.
And don't just secure your authentication once- you need to conduct regular audits to ensure your users are following your policies!
The article doesn't mention this, but where was the multi-factor authentication (MFA) protection? Even with a stolen credential, the attacker should still have had to get a code or prompt on a device owned by a legitimate user to login. Unless MFA was not enforced on this portal which would be a HUGE gap in security!
Problem #2: The attack came from a Ukrainian IP address.
Attack Vector: ACCESS
According to the article, the attacker's source IP address belongs to a "website and virtual hosting company in Ukraine." Now, I'm sure for a company of PowerSchool's size, there may be legitimate traffic to/from Ukraine to their systems so they can't just outright block the entire country.
But no privileged system that gives access to sensitive data should be accessible from just any IP address Even with a stolen credential, the attackers should never have been able to reach the login page of the PowerSource portal.
These systems should ONLY be accessible: 1) while connected to a corporate VPN, 2) from approved corporate devices, and again, 3) by passing an MFA challenge.
What YOU Can Do
This attack doesn't appear to be very sophisticated and could have been easily preventable with just a few basic measures:
MFA or Die!
If you're not using MFA to secure all your logins, it's just a matter of time until you get hacked. And for as easy and affordable as it is to setup and use, there's just no reason not to use it.
VPN or Die!
Internal systems should ONLY be accessible from your corporate VPN. And for SaaS-based companies & software, implement strict device whitelisting and physical security tokens to control access!
Or take it one step further and implement anomaly detection that triggers additional verification if access attempts are made from a new device or IP address.
Raise Staff Awareness!
There is no indication this specific attack involved social engineering, but the credentials were stolen somehow, likely from some form of social engineering. Foster a culture of security at your organization by conducting annual training to raise awareness of phishing and other social engineering attacks.
Take it one step further and conduct random simulated phishing attacks against your employees and see how well they do! This can also indicate which tactics they may be more susceptible to than others.
Ready? Let's Go!
Want to keep your business out of the next breach headline? Want to implement the solutions outlined above but not sure how, or don't have the time, staff, etc.?
Fountainhead Cyber can help! We specialize in delivering the same world-class cyber solutions employed by the biggest companies in the world at an affordable cost. We aim to be your partner on your cyber maturity journey, working closely with you to educate, enable, and empower you to achieve your business goals.
Contact Us for a FREE consultation now!
Hard to believe there's companies out there giving devices to employees to access internal data without MFA and VPNs. Should be common practice at this point!