From SolarWinds to PowerSchool: Growing menace of software supplier breaches

The early attacks on software suppliers, such as SolarWinds and Kasaya, shined a spotlight on the significant consequences when these companies are hit by cyber adversaries. By all measures, those attacks were a success for the other side, achieving an exponential impact with minimal investment on the attacker’s part. 

Recently, software vendor PowerSchool was hit with a ransomware attack, bringing software supplier attacks back into the limelight. The ransomware attackers allegedly took a copy of as much of PowerSchool’s data as possible before executing the ransom encryption, claiming to have stolen highly sensitive student and teacher information. 

PowerSchool purportedly paid the ransom demand in return for the threat actors deleting the stolen data. Those of us in the digital risk space who spend time observing these actors know that, unfortunately, this is likely not the case. We see ransomware data showing up in other forms of attacks and in trades of stolen data on the dark web and Telegram. And, in this specific case, we are talking about the Personally Identifiable Information (PII) of children. It honestly doesn’t get any scarier than this, and if SolarWinds wasn’t enough of a wakeup call, this attack should be one. 

Growing Threat and Impact of Stolen Credentials  

Today, most breaches are still caused using stolen credentials, according to the 2024 Verizon DBIR Report. And, a quick query of the GroupSense BreachRecon database returns nearly 700,000 stolen or leaked credentials from K-12 institutions in just the last 12 months. This is concerning for several obvious reasons.  

Stolen credentials are a valuable commodity in the cybercriminal ecosystem and are often a gateway to more significant attacks. Once acquired, whether through phishing campaigns, data breaches, or credential-stealing malware, these credentials can be used in various ways. One common tactic is credential stuffing, where attackers use the stolen username and password combinations across multiple platforms, capitalizing on users who reuse passwords. 

In K-12 settings, this could lead to unauthorized access to student records, grade manipulation, or even control of communication systems. Additionally, threat actors frequently sell or trade credentials on dark web forums and encrypted messaging apps like Telegram, where other cybercriminals may use them for targeted spear-phishing attacks against parents, staff, and administrators. Even more concerning, stolen administrator-level credentials can be leveraged to deploy ransomware directly, disable security tools, or exfiltrate sensitive data for extortion.  

Ripple Effect of Ransomware Attacks 

The ripple effect of attacks like this extends far beyond the immediate financial or operational impact. These breaches fundamentally erode trust. For parents and educators, the breach of student information feels deeply personal, fueling fears about their children’s privacy and safety. This loss of trust can lead to skepticism toward the affected school district’s ability to safeguard data and may prompt parents to demand transparency and accountability measures.

Over time, repeated incidents can undermine confidence not only in individual vendors but also in the broader digital tools that schools rely on, potentially slowing the adoption of technology meant to enhance education and security. Rebuilding this trust requires more than remediation; it demands clear communication, preventative action and sustained vigilance. 

To make matters worse, the impact may not be fully understood until far after the event is “cleaned up.” Threat actors often use the identity information of minors to create “synthetic identities.” Synthetic identities are created by taking PII from one person and combining that PII with information from another or a fabricated person. These synthetic profiles are then used to open bank accounts, secure loans or commit financial fraud, allowing the perpetrators to build credit histories before “cashing out” with large transactions and disappearing.

This type of fraud is particularly insidious because it can go undetected for years, only coming to light when victims attempt to use their compromised SSNs for legitimate purposes. In other words, some of these K-12 students may not know that their credit has been exploited until they attempt to get their first credit card or apply for a student loan much later in life and are then denied. 

Actionable Steps for Organizations and Individuals to Safeguard Data

Impacted organizations should take immediate steps to protect their company and their employees. All organizations should have an incident plan on hand (and hopefully one that has been tested through rounds of tabletop exercises). These plans act as the map during and after the incident for communication, legal and containment matters. At a minimum, organizations should contain and remediate the breach, conduct a forensic investigation, communicate transparently, provide support services, rebuild trust and implement preventative measures, such as MFA and cybersecurity education. 

In the cases of breaches like PowerSchool, affected individuals, once notified, should make sure to monitor personal and financial information by regularly checking credit reports for unusual activity using free services like annualcreditreport.com, as well as be vigilant for signs of identity theft, such as unexpected bills or credit inquiries. They should place a credit freeze with the major credit bureaus to prevent unauthorized accounts from being opened in the victim’s name.

In addition, they should update passwords and avoid reusing the same credentials across multiple accounts and enable multi-factor authentication (MFA) wherever possible. Finally, if fraud is detected, individuals should report it to the Federal Trade Commission (FTC) at identitytheft.gov and file a police report if necessary. And, they should notify schools or institutions if unusual communication or data misuse is observed.

Rethinking Data Protection in the Future 

When we talk about protecting critical infrastructure, the focus is often on organizations or physical assets that demand priority from a cyber protection perspective. But what about data? Perhaps classifying specific data types as in critical need of protection is the next best step. In this case, the PII of minors should be classified as critical. 

Cyber adversaries have and will continue to recognize the return on investment from the compromise of software service providers. From SolarWinds to MOVEit, the efficiency of a single compromise that captures the data across entire industries, netting multiple victim organizations, multiple extortion targets and myriad ransomware demands is too enticing. This is the future, and given the pervasive adoption of SaaS solution providers, everyone, including adults and children, will be impacted, so it’s more important than ever to take the appropriate security measures to safeguard our critical data.