Why The PowerSchool Breach Matters for Non-School Entities Too

PowerSchool, a widely-used student information system, experienced a significant data breach over the Christmas break. A third-party support account was hacked — likely through phishing — and those credentials were used to access multiple PowerSchool hosted servers. The attacker downloaded student and staff data from affected schools, potentially including social security numbers, health conditions, medical alerts, and insurance information.

Most Iowa schools use PowerSchool as their student information system, making this breach particularly impactful in our region.

What Went Wrong

The breach revealed critical security gaps in PowerSchool’s support infrastructure:

• The support portal lacked multi-factor authentication (MFA)
• Support tunnels maintained open access without requiring explicit authorization for each session
• A single compromised account provided access to millions of records across multiple servers

Lessons for Every Organization

This breach has implications well beyond educational institutions. Every organization should evaluate whether their technology service providers:

• Require MFA on all support and administrative portals
• Limit support access to only when explicitly authorized per session
• Restrict third-party vendor network access to only the resources and data necessary

Evaluate Your Vendors

Be cautious when allowing third-party vendors — solar arrays, HVAC systems, surveillance systems — to access your network. Companies like Verkada require explicit permission for each device access, and Scale Computing requires opening support tunnels only when needed. These are the kinds of practices you should expect from your vendors.

Take this opportunity to review your vendor access policies with a security-first mindset. If you need help evaluating your organization’s third-party access controls, contact our team.