According to a recently published forensic report by the US cybersecurity firm CrowdStrike, a hacker had compromised the US edtech giant PowerSchool several months prior to the ‘massive’ data breach that occurred in December. The report alleges that the initial breach took place before the December incident, which had significant consequences. To access the full report, please visit this link.

PowerSchool has sent a letter to affected customers, which was obtained by TechCrunch, confirming that an ongoing investigation has revealed unauthorized activity on its network prior to December. The cybersecurity firm CrowdStrike dated this activity back to at least August 2024.

Previously, PowerSchool stated that it had detected unauthorized access to its systems between December 19 and December 28, 2024, when the breach was discovered. However, new information suggests that the initial compromise occurred earlier.

The CrowdStrike report reveals that a hacker used compromised support credentials to gain access to PowerSchool’s network between August 16, 2024, and September 17, 2024. These credentials were used to access PowerSchool PowerSource, the customer support portal that was also compromised in the December breach, allowing the hacker to gain access to PowerSchool’s school information system (SIS).

According to CrowdStrike, PowerSource is a portal that “allows a support technician with sufficient permissions to gain access to customer SIS database instances for maintenance purposes.” This vulnerability was exploited by the hacker to gain unauthorized access.

While CrowdStrike was unable to find sufficient evidence to attribute the earlier activity to the same threat actor responsible for the December 2024 breach, due to insufficient log data, the findings suggest that changing the compromised credentials sooner could have prevented the December breach.

When questioned by TechCrunch, PowerSchool spokesperson Beth Keebler declined to comment on whether the company was aware of the earlier network access prior to the release of the CrowdStrike report.

The PowerSchool breach has raised many unanswered questions, including the total number of individuals affected. Although PowerSchool has refused to provide an accurate figure, reports suggest that the personal information of over 60 million students may have been accessed. For more information on the breach, please visit this link.