Cyber Incident Weekly Report - Week of January 27, 2025

Massive PowerSchool Data Breach Exposes Millions of Student and Educator Records

WHAT HAPPENED: Threat actors stole vast amounts of historical data from school districts in the U.S. and Canada by breaching PowerSchool’s Student Information System (SIS). The breach, enabled by a compromised maintenance account credential, exposed personal details such as names, birthdates, medical records, and Social Security numbers of students and staff. PowerSchool reportedly paid a ransom to prevent public data exposure and engaged security firms for forensic analysis, though its promised report remains unpublished. The Toronto District School Board confirmed that data from as far back as 1985 was compromised, affecting an estimated 72 million individuals. With at least 2.7 million records confirmed stolen, lawsuits are mounting against PowerSchool, and affected individuals are being offered free identity theft protection. Despite assurances that the stolen data was deleted, significant concerns remain about PowerSchool’s security measures and response transparency.

CONCERNING: Schools, PowerSchool, Third-party.

SENSCY'S ANALYSIS: SensCy last reported on this incident earlier this month, additional information about the breach is now available. The PowerSchool data breach was enabled by a compromised maintenance account credential, possibly obtained through information-stealing malware or as part of a previous breach. This access allowed attackers to infiltrate the Student Information System (SIS), exfiltrating sensitive data on students, educators, and guardians. With over 72 million individuals affected, the breach exposes them to identity theft, phishing, and social engineering attacks. The theft of medical records and disability information also raises privacy concerns and potential discrimination and blackmail risks. Schools using PowerSchool SIS must conduct forensic investigations to assess the full scope of data exfiltration. To prevent future breaches, SensCy recommends that schools enforce multi-factor authentication (MFA) for all administrative accounts and limit maintenance account privileges. Regular security audits and staff cybersecurity training can reduce risks from credential theft. Proactive monitoring of logs for suspicious activity would enable early threat detection. Encrypting stored data ensures that even if accessed, it remains unreadable without proper authorization. Schools should also demand transparency and stronger security commitments from third-party vendors like PowerSchool. Moving forward, affected districts must provide clear communication and support to those impacted, including extending identity theft protection. Cybersecurity partnerships between school districts and security firms can help implement best practices and improve incident response plans. SensCy believes the PowerSchool breach highlights the urgent need for educational institutions to prioritize cybersecurity and vendor risk management.

Texas County Declares Disaster After Cyberattack Disrupts Services

WHAT HAPPENED: Matagorda County, Texas, declared a disaster after a cyberattack compromised internal systems, disrupting government operations. Officials discovered the breach on Friday, linking it to an unauthorized access point, though emergency services remained unaffected. Cybersecurity experts, state agencies, and the FBI are assisting in containment and restoration efforts, with some online services already being recovered. In-person transactions remain unavailable, prompting alternative payment options for residents. No hacking group has claimed responsibility, and the investigation into the attack is ongoing. This incident follows a broader trend of cyber threats targeting local governments, highlighting the growing need for stronger cybersecurity measures.

CONCERNING: Texas, Local Government, Ransomware.

SENSCY'S ANALYSIS: Initial reports indicate the Matagorda County cyberattack likely originated from an unauthorized access point, SensCy believes this suggests weak access controls, phishing, or unpatched vulnerabilities as possible entry methods. While the breach was contained to internal systems, it greatly disrupted government operations, forcing officials to declare a disaster and implement alternative service methods. The inability to process in-person transactions may cause financial and administrative delays, affecting residents and county functions. SensCy recommends that local governments strengthen their cybersecurity posture by enforcing multi-factor authentication (MFA) and restricting access to sensitive systems. Regular security audits and timely software updates can prevent attackers from exploiting vulnerabilities. Employee cybersecurity training is crucial in mitigating phishing attacks, a common entry point for ransomware and system breaches. Proactive network monitoring and intrusion detection systems (IDS) can help identify suspicious activity early. In the aftermath, Matagorda County should conduct a thorough forensic investigation to determine the exact breach method and patch security gaps. Enhancing incident response plans and performing regular cybersecurity drills will improve readiness for future attacks. Cyber insurance can help mitigate financial losses from operational disruptions. Governments must also collaborate with federal cybersecurity agencies to strengthen defenses against evolving threats. This attack highlights the urgent need for investment in cybersecurity infrastructure to protect public services and sensitive data.

Ransomware Attack Disrupts New York Blood Center Operations

WHAT HAPPENED: New York Blood Center Enterprises, serving over 75 million people, confirmed it was hit by a ransomware attack, forcing blood drive cancellations and delays in processing donations. The breach was discovered on Sunday, and an initial investigation conducted by cybersecurity experts confirmed it as ransomware. While containment efforts are underway, no group has claimed responsibility, and there is no timeline for system restoration. Despite operational disruptions, the center continues to accept donations, though processing times are slower. This attack is part of a growing trend of ransomware incidents targeting healthcare and blood donation services worldwide, highlighting critical vulnerabilities in the sector.

CONCERNING: New York Blood Center Enterprises, Healthcare, Ransomware.

SENSCY'S ANALYSIS: SensCy believes the ransomware attack on New York Blood Center Enterprises likely originated from phishing emails, compromised credentials, or unpatched software vulnerabilities, common entry points for cybercriminals. Once inside, the attackers encrypted critical IT systems, disrupting operations and delaying blood processing. The threat actors forced the rescheduling of blood drives, potentially impacting hospitals that rely on timely blood donations. If patient or donor data is stolen, it could lead to identity theft and further cyber threats. To prevent such incidents, healthcare organizations must implement multi-factor authentication (MFA) and restrict access to sensitive systems. Regular security assessments and timely patching of software can close exploitable vulnerabilities. Employee training on phishing and cybersecurity best practices can help reduce the risk of credential theft. Implementing offline data backups ensures that organizations can restore systems without paying a ransom. Moving forward, blood centers and healthcare providers should enhance network monitoring and incident response capabilities. Engaging with cybersecurity firms for threat intelligence sharing can help anticipate and prevent attacks. SensCy believes regulatory bodies should enforce stricter security requirements for healthcare entities handling sensitive patient and donor data. As ransomware attacks on critical infrastructure increase, investment in robust cybersecurity defenses is no longer optional but essential for operational continuity and public safety.