The massive nationwide cyberattack that targeted the education software giant PowerSchool did not impact the KPBSD, district officials say. According to national reports, the IP address where the attack originated belongs to a website and virtual hosting company based in Ukraine.
On Wednesday night, District Superintendent Clayton Holland confirmed that the KPBSD was not affected by the attack due to the vigilance of the District’s IT department. “We were not hacked. We’re not part of that because we had disabled the feature that allowed access from those foreign actors to access PowerSchool.”
The feature in question, a support feature, is used by PowerSchool to connect to the education software’s customer accounts to assist with various support tasks.
Eric Soderquist, KPBSD Director of Information Services, said his department’s practice is to keep that feature disabled unless it is necessary.
“It’s something that we really don’t lean on heavily, and kind of importantly, the recognition is that the support tool can be controlled by the customer,” Soderquist said. “So, KPBSD’s position with our PowerSchool is to disable the feature unless we’re actively working with support.”
He believes that leaving this feature enabled may have left affected districts vulnerable to cyber attackers. “I think what we’re going to find out as information continues to evolve here is that those impacted by this may have likely had the remote features enabled.”
Tech blog Bleeping Computer, who first reported the attack, says PowerSchool initially learned of the breach on Dec. 28, 2024.
“As a main point of contact for your school district, we are reaching out to make you aware that on December 28, 2024, PowerSchool became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource,” a notification sent from PowerSchool to Bleeping Computer said.
PowerSchool says the stolen data could include sensitive information for minors, such as names, addresses, phone numbers, Social Security Numbers, grade point averages, bus stops, passwords, notes, alerts, student IDs, parent information, and medical information.
As a result of the decision to keep the vulnerable support feature disabled, the KPBSD finds itself safe from a growing list of districts across the country now scrambling to figure out which of their students’ and staff members’ personal information may have been compromised.
Soderquist says KPBSD Information Services’ decision not to keep the support feature enabled was based on a fundamental IT philosophy of “least privilege.”
“You really set up [a system] in a position where you know it does not have power or functionality until such a time as the power functionality is necessary,” Soderquist said. ” I think in the 2011 or 2012 era, when we first looked to deploy PowerSchool, we made the decision not to enable this by default and switch our posture from a default on to a default off for the remote support tool.”
He said data security within the district is a team effort and that the situation provides an opportunity to review and reflect on the ideas of defense-in-depth strategies. “We don’t just lean on one thing. You know, this particular situation highlights the fact that we have a firewall at the edge of our network and that actually saved us as well in this situation.”
Reports indicate that data was first stolen on Dec. 22, 2024, from IP address 91.218.50.11. which is located in Ukraine. CrowdStrike, the cybersecurity firm investigating the breach, is expected to release a report by Jan. 17.
As of Wednesday night, districts known to be impacted by the cyberattack are primarily on the East Coast and in Canada.
