Authored By:
Chief Information Security Officer
PowerSchool
As a leading global provider of K-12 education technology, PowerSchool takes our responsibility to protect student, family, and educator data privacy extremely seriously.
We also know that a 2024 incident involving one of our legacy systems raised questions and concerns from our customers, their families, and education leaders who all share our same goal: protecting student and staff data.
As part of our commitment to cybersecurity we want to convey our learnings and how we are further strengthening the security of our systems to protect our customers and enhance security practices across the entire sector.
We took immediate actions to prevent the data involved from further unauthorized access or misuse, and to secure the impacted environment, including:
- Deactivating the compromised credential
- Enforcing a full password reset for employees and contractors
- Restricting access to the PowerSource customer support portal
- Requiring employee access to the PowerSource environment be via company’s VPN, which requires single sign-on (SSO) and multi-factor authentication (MFA)
While this incident was indeed challenging, it has helped us set higher standards for transparency with our customers, regular assessment and pressure-testing of our security practices, and cybersecurity awareness and collaboration at scale.
For a detailed overview of the cybersecurity incident, answers to common questions, the CrowdStrike Incident Report, and how to access identity protection services and credit monitoring for affected individuals, please review the incident webpage.
Always on security monitoring & threat detection
Resilient and reliable cybersecurity protection requires the implementation and regular upgrading of the latest security systems and processes. At PowerSchool, we invest significantly in advanced security technologies, including static and dynamic code scanning, best of breed network and workload protection, intrusion detection and prevention systems, advanced endpoint protection, and more than 30 annual penetration tests.
Following the 2024 incident, we audited our security procedures and implemented additional hardening efforts. These include implementing biometric authentication (e.g. fingerprint recognition) for employees, reducing the authorization window for scheduled maintenance, and limiting the number of SIS instances a single account can log into during a 24-hour period. These are just a few examples of how our teams are continually tightening security controls.
Finally, our Security Operations Center runs around the clock, ensuring members of our security team are monitoring and responding to security issues on an organizational and technical level.
These security systems and processes successfully defend our customers against more than a billion unauthorized attempts to access our systems each year and our web application firewall on average blocks over 66 million attacks against our customers each month.
Immediate and consistent communication
Navigating this incident re-affirmed the importance of communicating accurately and with urgency to ensure customers, their communities, and the broader public have the information they need.
As soon as we discovered unauthorized access, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts.
Ten days later, on January 7th, we communicated with all PowerSchool customers what we knew about the incident. This initial communication alerted affected customers that their data may have been exfiltrated, and alerted non-affected customers of the issue to ensure they heard it first from us and knew their systems were not impacted and would be operating as normal.
Within another ten days of that notification, we prepared and distributed over 20 critical documents to support our customers’ internal log audits and communications with families, staff, policy makers, and media. We also hosted thousands of customer calls and webinars to quickly and efficiently answer urgent questions, share updates, and equip our customers with the resources they need to support their families and staff. This timeline represents less than 5% of the normal time it takes companies to alert users following a breach (according to a recent report by IBM).
Continuous customer support
While we have seen no evidence that there is any malware or continued unauthorized activity, we understand the concern our customers, their staff and families have regarding the incident.
That’s why PowerSchool has taken several steps as part of our response to support our customers and their communities through this process. This includes notifying relevant regulators on our customers’ behalf in applicable jurisdictions as well as students (or their parents/guardians) and educators in the U.S. and Canada.
In these geographies, we have offered involved students and educators complimentary identity protection services including, if applicable, credit monitoring services, regardless of whether an individual’s sensitive data was exfiltrated.
In countries outside of the U.S. and Canada where Experian offers such services, PowerSchool is offering two years of complimentary identity protection services for all students and educators whose information was involved, regardless of what information about an individual was exfiltrated.
We are also continuing our third-party compliance audits, including ISO 27001 and Soc 2 Type 2 certification, along with accreditations from industry leaders including TrustArc and 1EdTech, to ensure our customers can validate our rigorous and ongoing commitment to cybersecurity.
To review our comprehensive commitment to cybersecurity, data privacy & infrastructure, please visit PowerSchool.com/security.