In December 2024, PowerSchool — one of North America’s most widely used student information systems — disclosed a breach that affected millions of students and educators. Hackers gained access using a compromised password and remained undetected for nine days, exposing sensitive personal information, including Social Security numbers and medical histories.
This wasn’t just a system failure. It was a wake-up call.
The PowerSchool breach is a stark reminder that school districts don’t just need strong cybersecurity; they need strong vendor oversight. When schools outsource critical functions to edtech providers, those providers become an extension of their digital ecosystem. If a vendor’s security is weak, it can become a direct line to student data.
Why Schools Are Especially Vulnerable
With rising attack frequency and increasingly sophisticated supply chain threats, schools need robust third-party risk management processes. They are particularly at risk when it comes to third-party breaches because of the following:
- Vast vendor networks: The average district uses an average of 1,417 edtech tools annually, and each app increases the attack surface. Despite warnings in 2022, insufficient risk assessment and prevention culminated in the 2024 breach.
- Limited in-house expertise: Many districts, especially smaller ones, have understaffed IT teams, where members must juggle everything from Chromebooks to ransomware response.
- Shadow IT: Teachers often download new apps or browser extensions without notifying IT. These unsanctioned tools can create major vulnerabilities.
- High-value data: Student records include names, birthdates, addresses, and in some cases, Social Security numbers and health information. That’s everything a hacker needs to steal or sell identities.
The Cost of Inaction
The PowerSchool breach wasn’t an isolated event. In 2024, third-party breaches hit National Public Data and FBCS, exposing the personal information of millions. The education sector is now the fifth most-targeted industry in the United States, and 1,619 cyberattacks on schools were tracked from 2016 to 2022.
These incidents disrupt learning, drain budgets, and shatter trust. A single breach can shut down systems for weeks. The cost to districts to recover is estimated at hundreds of thousands, leading to lawsuits, regulatory fines, and state audits. The invasion of privacy creates long-term reputational damage. In other words, vendor risk isn’t an IT problem — it’s a districtwide priority.
Building an Effective Third-Party Risk Management Strategy
Third-party risk management isn’t a one-and-done process. It starts before onboarding and continues throughout the vendor relationship.
1. Ask Better Questions
Before signing a contract, schools must ask vendors the right security questions and verify their answers. This goes beyond “Do you use encryption?” and gets into specifics like:
- Do you require and enforce multifactor authentication (MFA) for all internal systems?
- How do you secure sensitive data such as student PII or IEPs?
- Do you have a documented incident response plan, and will you share it?
- Do you conduct regular third-party audits and security assessments?
2. Prioritize Vendors by Risk Level
Not all vendors are equal. Group them by their data access and importance to core operations. For example, high-risk vendors cover access to SIS platforms, grading and reporting tools, and health apps. Medium-risk service providers protect content filtering systems and single sign-on tools, while low-risk providers manage catering vendors and newsletter software. Prioritizing vendors helps districts allocate their security resources more effectively.
3. Include Cybersecurity Clauses in Every Contract
Vendor agreements should spell out security requirements as part of third-party vetting, including MFA, encryption protocols, access controls, and breach notification timelines. Contracts should also grant the school audit rights, indemnification clauses, and the ability to terminate if standards aren’t met.
Schools have a legal duty toward data collection to comply with the Family Educational Rights and Privacy Act, which requires schools to notify parents about what information they collect. They must take responsibility for digital vendors and staff access.
4. Create a Structured Vetting Workflow
Follow the lead of Moore Public Schools in Oklahoma, where educators submit software requests before introducing any new tech into the classroom. Management, including the curriculum and tech departments, reviews new tools, evaluates the privacy policies, and completes standard vendor data surveys before approving any new software or apps. It’s time-intensive, but it works.
5. Monitor Continuously, Not Just at Onboarding
Security risks evolve, and so should your oversight. Regularly audit existing vendors and reevaluate risk levels. Ask for updated security certifications or compliance reports annually. Consider using cloud security and system tools to auto-block risky applications and revoke access when needed. With good IT management, Windows operating systems can conform to stricter access control and system safety.
6. Educate Staff on Secure App Use
Train teachers to spot red flags, like an app that requests excessive permissions or lacks a clear privacy policy. Training reduces shadow IT and empowers educators to be part of the solution, not the problem. The Cybersecurity and Infrastructure Security Agency provides free training resources to assist educators in remaining empowered about the digital decisions they make regarding apps and platforms.
7. Assign Ownership to Your CISO or Tech Lead
Even when procurement decisions are decentralized, your chief information security officer or equivalent should be looped in for any vendors interacting with student data. They need a seat at the table — not just when there’s a breach, but before a vendor’s selection.
Risk Doesn’t Stop at the Firewall
Schools can’t afford to think of cybersecurity as just firewalls and endpoint protection. In today’s environment, your risk is only as strong as your weakest vendor.
The PowerSchool breach wasn’t caused by a missing patch or a careless teacher; it resulted from a vendor failing to implement MFA and detect intrusion in time. Millions of students paid the price.
Every school must safeguard its community’s data. That means treating vendor risk as a critical part of cybersecurity, not an afterthought.
Zac Amos is the Features Editor at ReHack, where he covers phishing, ransomware, and other cybersecurity topics. He has also been featured in publications like VentureBeat, the Global Cybersecurity Alliance, and Cyber Defense Magazine.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.