Towards the end of last year, PowerSchool—an enterprise specializing in cloud-based solutions for K-12 educational institutions—fell victim to a cyber attack. This incident led to the unauthorized access and theft of personal data belonging to millions of students and staff. The exposure of sensitive information, including social security numbers and birthdates, was a preventable event.
As the news broke, it was revealed that the compromised account belonged to a PowerSchool employee who had not enabled a critical security feature known as two-factor authentication (2FA). If 2FA had been active, the hackers would have encountered an additional verification step, making unauthorized access to PowerSchool’s internal systems significantly more difficult.
In an age plagued by frequent data breaches, implementing this extra layer of security is essential. It acts as a safety net should a password be compromised—especially since many individuals opt for weak or reused passwords that are easily exploitable. Additionally, phishing attempts can sometimes reveal even the most secure passwords.
PowerSchool’s oversight in not enforcing multi-factor authentication for employees, particularly those handling sensitive data, is concerning. However, by taking proactive measures, you can sidestep the pitfalls that led to PowerSchool’s breach. Everyone, not just IT professionals, has valuable accounts—such as email and bank accounts—that warrant protection.
Jared Newman / Foundry
To protect your sensitive online accounts, enable two-factor authentication as soon as possible. If you haven’t already, consider upgrading to a strong, unique password as well. Setting this up is quick and can be conveniently orchestrated through your smartphone.
For convenience and security, I suggest using apps that generate one-time codes, which provide the best balance between accessibility and protection. Be aware that SMS codes are less secure, as they are susceptible to interception. Adding two-factor authentication may only take an additional 15 seconds during your login, so it’s a minor time investment for enhanced security. Don’t forget to securely save your backup codes in an easily accessible location.
It’s crucial to enable 2FA on any important account, even those that support passkeys. Passkeys provide a faster and more secure method of logging in than traditional passwords, especially when stored on a local device. However, if a password is still linked to the account, an attacker could still gain access using the password alone, making 2FA essential for continued protection.
As of now, PowerSchool continues to notify individuals impacted by the data breach. The extent of the compromised data varies by school district, but the company is offering two years of credit monitoring to affected individuals. Additionally, there are various further steps you can take to protect your children, as some types of identity theft can operate unnoticed for an extended period.
Editor’s note: Originally published on February 18, this article has been updated to clarify the timeline of the cyber attack on PowerSchool and provide additional context.
