As the New Year begins, recent cyber attacks on educational organizations remind me how important it is for Identity Security to stay ahead of bad actors.
PowerSchool is the largest provider of cloud-based education software for K-12 education in the U.S., supporting more than 50 million students. Hackers successfully breached its customer support portal, allowing further access to the company’s information systems.
A short time after, news broke of small public schools being hit with cyberattacks in Maine. The first was a breach in the internet network in the South Portland School District coming from an attacker in Bulgaria. At a different Maine school district, a student’s email address was hacked and used in a phishing scam, again by someone outside the country. They sent emails out to around 1,400 different accounts.
Organizations serving students large and small, public and private, are being targeted. Education is no longer a safe space from threat actors, and we urge leaders to take proactive steps to shore up their systems against attack. We take seriously our responsibility to help, and one way is by sharing learnings from these incidents to help take action to avoid the same outcomes.
Lesson 1: Block Access From the Start
The hackers that hit PowerSchool gained access using a compromised credential. Today, somewhere between 60% to 70% of all cybersecurity incidents are using compromised credentials.
The primary lesson learned of this incident is for all organizations to invest in maturing their privilege user access management (PAM) capabilities, to increase cyber resilience against threat actors attempting to gain privilege access using compromised user credentials.
The breach of the PowerSource customer support portal led to additive access to a privileged user(s) (often a power user or systems administrator account) that enabled access to the student personal information. Educational software is typically purchased by parents of students so it is likely their payment information was compromised.
Adopting a zero-standing privilege model with just-in-time access capabilities minimizes risk exposure from the start.
Lesson 2: Look to a Passwordless Future
A secondary lesson learned from these incidents is the need for cloud service providers to reduce the use of passwords that can be compromised. Passwords were never designed to be used in today’s world, where an average person could have dozens of unique passwords across their digital assets. We need to evolve digital identity security to stop relying on passwords.
Organizations can look to a passwordless system that is scalable, where no credentials have to be stored and therefore able to be compromised.
Lesson 3: Attackers Target the Vulnerable
Something the Director of Technology at the South Portland School District said stuck with me. He said: “We’re schools. We’re not Fortune 500 companies.” He didn’t think they were targeted. They just got unlucky.
The truth we need to face is that as cyberattacks become more frequent and sophisticated, it’s not a matter of luck. Cybercriminals will find vulnerable systems and specifically vulnerable targets. Threat actors learn how to allocate their resources to optimize the return from their malicious activities with minimal work and to scale–creating more profit and, unfortunately, more victims.
In the case of PowerSchool, the victims were K-12 students that use the PowerSchool online educational content. Personal information about children below the age of 18 is particularly attractive to cyber criminals to create digital identities used to procure goods and services or generate loyalty points for digital consumers.
It’s not just the Fortune 500 companies that need to modernize their identity security infrastructure. Any vulnerable systems, especially schools and companies containing student data, are like homing beacons for attackers.
2025 might be the year to transform identity security in the education sector, and now is a good time for a New Year’s resolution to deploy more mature authentication and identity security capabilities to protect students.
Back to Blog
-1.png)
