PowerSchool Breach Highlights Growing Cybersecurity Risks in America’s Schools

MCPS uses PowerSchool. PowerSchool confirmed earlier this month that it was hacked. PowerSchool is MCPS' student information system. The complete article is here, at the Foundation for Defense of Democracies website. Reported by Senior Policy Analyst Jiwon Ma and intern Mario Riofrio.

PowerSchool, a cloud-based software provider for K-12 schools, confirmed on January 7 that hackers breached its systems late last year, affecting thousands of school districts across the United States and globally. PowerSchool admitted on January 15 that the unnamed hackers accessed all of its 60 million student and teacher records, underscoring the urgent need to integrate cybersecurity into school infrastructure protection strategies and adopt stronger measures to mitigate cyber threats.  

Hackers Stole Student Social Security Numbers 

PowerSchool helps schools manage information and communication needs, using the platform to manage grades, attendance, and other student records. Hackers breached the platform using compromised credentials available on the dark web, pilfering student names and addresses, and, in some cases, Social Security numbers and medical records. Press reports indicate PowerSchool paid a ransom to the attackers in exchange for assurances that they would delete the stolen data. 

Hackers Increasingly Target Schools for Sensitive Data 

The PowerSchool data breach illustrates a growing trend in cyberattacks, which have shifted from traditional ransomware attacks to ones paired with data theft extortion. Instead of encrypting systems and demanding payment for their release, hackers now engage in dual extortion, stealing the sensitive information — instead of or in addition to encrypting it — and threatening its exposure to pressure victims into paying a ransom.  

Meanwhile, American school districts are increasingly exploited by criminal hackers looking for easy targets. From January 2023 to June 2024, at least 83 cyberattacks targeted U.S. K-12 schools. While the number of reported ransomware cases dropped between 2023 and 2024, the true number of incidents is likely higher. Since October 2024, victims have reported at least another 85 additional incidents, reflecting an alarming trend.  

Initial Efforts to Improve Cybersecurity Need a Jumpstart 

Over the past two years, the Biden administration has attempted to focus efforts on the cybersecurity of schools, organizing a “Cybersecurity Summit for K-12 Schools” in August 2023 that featured initiatives by technology companies to provide free and low-cost cybersecurity tools and services. PowerSchool itself partnered with the Cybersecurity and Infrastructure Security Agency to offer free and subsidized cybersecurity training and resources to K-12 schools.  

Meanwhile, late last year, the Federal Communications Commission launched a pilot program to provide $200 million to schools and libraries to purchase cybersecurity products. Building on this momentum, the White House Office of the National Cyber Director announced in December 2024 that thanks to federal funding, all K-12 public schools in Rhode Island will implement a cybersecurity service designed to block harmful websites and protect student data.  

MD Office of Legislative Audits Report on Baltimore County Public Schools Cybersecurity Incident

Maryland Office of Legislat... by Parents' Coalition of Montg...

Finding 6 – We recommend that BCPS

a. periodically review employee access capabilities to ensure all access is appropriate and incompatible duties are segregated (repeat)In Progress 

Finding 8 – We recommend that BCPS implement appropriate database monitoring controls over the aforementioned critical systems. Specifically, we recommend that BCPS

a. log all significant database security, audit related event, and processing activities, included direct changes to critical database tables, and generate reports that include this related database activity(repeat)Resolved b. ensure that individuals perform regular, independent documented reviews of the aforementioned reports and retain the information for reference purposes(repeat)

Resolved

c. restrict assignment of critical database administration roles to only those personnel requiring such access fortheir job responsibilities (repeat)Resolved

Finding 9 – We recommend that BCPS

a. relocate all publicly accessible servers to a separate protected network zone to limit security exposures to the internal network segment (repeat) Resolved

Why K-12 Needs to Prioritize Cybersecurity: Lessons Learned from the DHS Forum on Prevention

Data. It’s a simple word that often gets lost in translation. However, the data footprint is vital, and we all have one. As a student or community member, if you are online, you are creating valuable data. Even with growing concern over privacy and access issues, only 22% of school administrators view cybersecurity as a threat. The importance of cybersecurity protection, especially for school districts, is becoming increasingly important as more school and state leaders become aware of how valuable student information is to those looking to steal it. In the complex and evolutionary world of cyber threats and attacks, it is difficult to know where to start and how to keep up. How can state and district leaders protect their students? What is the best course of action?

These questions and more were addressed on January 25th and 26th during the Digital Forum on Prevention, hosted by the Center for Prevention Programs and Partnerships (CP3) along with the Cybersecurity and Infrastructure Security Agency’s (CISA) School Safety Task Force and the Department of Education’s Office of Educational Technology. This Forum featured two days of online panels and workshops of experts, researchers, and practitioners. Within four panels and two workshops, 833 attendees, 48% of which self-identified as being from the education field, heard discussions between experts and leaders on a public health-informed strategy to prevention, online safety, and multidisciplinary approaches to student and educator well-being, as well as learned of preventative solutions including improving digital literacy, critical thinking skills, and cybersecurity resources to build resilience.

The fourth and final panel of the forum, titled “Cybersecurity in Building Resilience” discussed ways in which CISA, the Department of Education’s Office of Educational Technology (OET), local education agencies (LEAs) and state education agencies (SEAs), and educational nonprofits are working together to prioritize cybersecurity for K-12 schools. Moderated by Marlon Shears, Chief Information Officer from Fort Worth Independent School District, the panel featured diverse representation in the emerging K-12 cybersecurity field including the Office of Educational Technology’s Deputy Director, Kristina Ishmael, Sean McAfee, Deputy Branch Chief of Cyber Defense Education and Training at CISA, Doug Levin, co-Founder and National Director of K12 Security Information Exchange, David Mendez, Information Security Lead and Technical Project Manager at Region 10 Education Service Center, Rod Russeau, Director of Technology and Information Services at Community High School District 99 and Chairperson for the Consortium for School Networking Cybersecurity Initiative.

Of the topics discussed, the panel members gave special consideration towards the importance of why state and local government leaders need to prioritize cybersecurity, what educators and teachers can do to protect students right now, and how we can promote resiliency and good online habits for both learners and educators in the coming future...

https://medium.com/@OfficeofEdTech/why-k-12-needs-to-prioritize-cybersecurity-lessons-learned-from-the-dhs-forum-on-prevention-331483bfdc7c