In this article I’m going to talk about using OSINT to find information about the PowerSchool data breach.
The PowerSchool Breach
If you’re a parent who has a kid in school, or you’re teaching students in grades K-12, you’re already aware of what’s going on, as you’ve received a love letter from your school system informing you that they were using a vendor called PowerSchool, that PowerSchool was breached, and if PII (personally identifiable information) was exposed, you could anticipate an offer of Identity Theft protection/credit monitoring.
If you aren’t aware of the breach, PowerSchool is a vendor that provides schools various products where parents, students, and faculty/staff, can manage information such as grades or receiving alerts and other communications. This description is painted with a broad stroke, but that’s the gist of what PowerSchool does.
On December 28th 2024, PowerSchool was aware of a cybersecurity incident that impacted their SIS (Student Information System) platform. This platform is used to manage grades, student performance, and attendance to name a few things.
The breach came about through the use of stolen login credentials. From there the threat actor stole a couple of databases that included data such as names, addresses, and a small subset of data included Social Security Numbers (SSNs), medical information, grades, and other PII. If you’d like to read further, you can check out this article by BleepingComputer.
Because this breach caught my attention, I alerted my newsletter subscribers. By the way, you can subscribe to the newsletter by using this link.
Collecting Data
In the alert, I quickly looked for news to very roughly gauge who was affected. One of which was a public school system from the State that I’m in.
After the alert went out, one of the newsletter subscribers shared with me the PowerSchool notification they received and then the following day a business connection sent me what they got in their inbox. So between what was reported in local news and these two people, there were three known school systems in the State impacted by the breach.
Later in the week, I attended a group for business owners and brought up the breach. A handful of the members shared even more school systems in the State that were impacted.
My initial curiosity was to put feelers out asking people to report in if they were affected, but I decided to dig myself. The primary question I wanted to answer was how many public schools in the State were impacted by the PowerSchool breach? This is where OSINT came into play.
For the uninitiated, OSINT is collecting information in the public domain, analyzing it, and making use of it. Sources include public facing websites, news, forums, government databases, and social media to name a few.
Because I already had a list of towns/cities in the State from a prior project, I was off to the races and hunting through each town’s website. Then I remembered how clunky the landing pages were, so I fired up a search engine and used the keywords: [town] public schools [state]
It was then a matter of going to each school system’s webpage and looking for any mention of PowerSchool. Once something was found, I then recorded it in a spreadsheet I made.
Some of the data collection was stupid simple as either the PowerSchool logo was displayed on the school system’s site or I was greeted with a splash page that alerted visitors about the data breach. It was an easy OSINT win up to this point.
The smaller challenges I ran into were login pages that had no indication what they were, save for a logo sometimes. For example, these login portals.
That small challenge figuring out what these logins were for was quickly solved by viewing the webpage source code. It was in the source code that I found links to a service called Sharpschool.
After I collected everything I needed, I went to PowerSchool’s webpage and looked at what products they had. Sure enough, Sharpschool and a couple of others I ran into in my research were listed.
Also in my research I discovered other EdTech vendors used that compete directly with PowerSchool which was documented in the spreadsheet.
While I didn’t spend time documenting this, there were a handful of vendors that provided the web design and hosting for the schools. After going through multiple dozens of school systems, you could tell who was using what for design and hosting by how things were displayed.
Running the Numbers
In the grand scheme of things, what did my OSINT efforts reveal about the PowerSchool data breach in the State?
Out of 169 towns, the number of public schools that used any PowerSchool product was 147. That’s roughly 87% of public schools in the State.
Filtering out schools that only use PowerSchool services like Sharpschool, it leaves 141 public school systems using PowerSchool SIS. This is the product that was breached. This means about 95% of public schools across the State using PowerSchool SIS were potentially affected.
The number of public schools I found that were only using PowerSchool products Sharpstudent and Schoology were 24. That’s roughly 16% of public schools across the State. These sites
16 public school systems across the State used a competitor like Aspen or Infinite Campus.
There were 6 public school systems where I could not find any helpful information that showed me if they used PowerSchool products or not.
For those that are really into data analysis, one thing I don’t know if it’s possible to figure out is the number of students in each public school. If you have ideas/suggestions I’m all ears. The State only breaks data down by town or district/region, which makes it difficult. The end goal is use that data to figure out if any of the teachers/students at the alleged affected schools were part of the small subset that had PII exposed. Then I could possibly figure out the affected number and see how close I get should the State’s Attorney General release any breach notifications about the incident.
While I wouldn’t call this a juicy find, it was eye opening to see exactly how widespread use of Powerschool was in this little OSINT adventure that’s related to the data breach.
Need Help?
If your organization needs or wants to utilize OSINT whether it’s for cybersecurity or a research project let’s talk. If you’re a law firm that needs help with a case, you can check out our services here and let’s schedule a call.
Use the form below to reach out.
Contact Us | Bsquared Intel
Please fill out the form below, or call 203.828.0012, to learn how Bsquared Intel can assist you.