by jdpoteet | May 8, 2025 | News, Threat Advisories
DOWNLOAD PDF
Executive Summary
DOWNLOAD PDF OF THREAT ADVISORY
Blackswan Cybersecurity is actively monitoring the evolving threat landscape following the PowerSchool breach initially detected in December 2024. Recent developments indicate that the threat actor responsible for the incident is now individually extorting K12 school districts, leveraging data exfiltrated during the original breach. Despite PowerSchool’s efforts—including the payment of a ransom and collaboration with law enforcement—affected school systems continue to face re-victimization. This report outlines the sequence of events, threat actor tactics, implications for the education sector, and critical guidance for prevention and response.
Incident Overview
In December 2024, PowerSchool detected unauthorized access to its PowerSource customer support portal. The breach, traced back to compromised credentials, enabled the attacker to use a remote maintenance tool to exfiltrate sensitive school district data from across the U.S., Canada, and other regions. According to threat actor claims, the data set includes information on over 62 million students and 9.5 million teachers across 6,505 school districts.
PowerSchool later confirmed the breach originated months earlier, in August and September 2024. Despite responding by paying a ransom and receiving a purported deletion video from the attacker, the threat actor has now resumed extortion attempts—this time targeting individual school districts directly.
Current Threat Activity: Targeted Extortion
PowerSchool has issued a statement acknowledging that multiple school district customers are receiving direct extortion threats. The threat actor is demanding separate ransoms under the threat of publishing sensitive student and staff data.
The Toronto District School Board (TDSB)—Canada’s largest school board—is among the entities receiving extortion communications. A letter to parents from TDSB confirmed that the attacker has retained the stolen data despite previous assurances, indicating a betrayal of the ransom agreement originally made with PowerSchool.
Data Compromised
The breached databases contain varying levels of sensitive information depending on the school district. The following categories of data are confirmed to be at risk:
- Full names of students and staff
- Physical addresses and phone numbers
- Passwords and login credentials
- Parent/guardian contact details
- Social Security Numbers (SSNs)
- Medical and health-related information
- Academic records and grades
This type of data poses substantial identity theft, social engineering, and fraud risks, especially within vulnerable populations like students and minors.
PowerSchool’s Response
PowerSchool has reiterated its regret for the continued victimization of its clients and is collaborating with law enforcement agencies in both the United States and Canada. The company has offered two years of complimentary credit monitoring and identity protection services to affected users.
The firm justified its original ransom payment as a difficult but necessary action to protect the students and communities it serves. However, the incident underscores the inherent risk in trusting ransomware actors to uphold their commitments after payment is rendered.
Implications for the Education Sector
This incident highlights several persistent challenges in the K12 cybersecurity ecosystem:
- High-Value Targets: Education systems remain lucrative for cybercriminals due to the breadth and sensitivity of personal data they store.
- Credential Abuse: The initial compromise through stolen credentials reinforces the need for robust identity and access management (IAM) protocols.
- Inefficacy of Ransom Payments: Paying ransom does not guarantee that data will be deleted or withheld from public release. This case mirrors broader industry trends, such as the Change Healthcare and UnitedHealth incidents, where paid ransoms failed to prevent continued extortion.
Blackswan’s Recommendations
Blackswan Cybersecurity urges school districts, education service providers, and technology vendors to take immediate action:
- Zero Trust Architecture
Adopt a zero-trust framework to limit lateral movement and restrict access based on verified identity and device posture.
- Credential Hygiene and MFA
Enforce multi-factor authentication (MFA) across all privileged accounts and conduct routine credential audits.
- Threat Detection and Response
Implement Managed Detection and Response (MDR) services to monitor and neutralize threats before data can be exfiltrated.
- Data Minimization and Segmentation
Reduce unnecessary data retention and apply strict network segmentation to isolate sensitive records.
- Incident Response Preparedness
Maintain a tested incident response plan, inclusive of extortion scenarios, communications strategies, and legal considerations.
Blackswan Cybersecurity: Trusted Protection for K12
With over a decade of defending educational institutions, Blackswan Cybersecurity remains a frontline partner to schools nationwide. Our 24/7 Cyber Fusion Center, Open XDR platform, and expert vCISO services have helped districts mitigate attacks like this before they escalate. We remain committed to safeguarding the digital trust of students, educators, and their communities.
To schedule a threat briefing or discuss hardening your district’s security posture, contact us at: contact@blackswancybersecurity.com or blackswan-cybersecurity.com.
References
by jdpoteet | May 7, 2025 | News, Blogs
Cybercriminals are relentlessly targeting healthcare organizations—and they’re not slowing down. In fact, the healthcare sector saw a 60% increase in ransomware attacks in the last year alone, making it the most targeted industry for cybercrime. From large hospital systems to regional clinics and outpatient facilities, no healthcare delivery organization is immune.
The reason? Healthcare organizations are rich with valuable patient data, operate under tight regulatory scrutiny (HIPAA, HITECH, PCI-DSS), and often rely on legacy systems that weren’t built for today’s cyberthreat landscape. Add to that the high-pressure, always-on nature of care delivery, and it’s no surprise that even a short system outage can mean more than just financial damage—it can impact lives.
The Challenge: Complex Threats, Limited Resources
Despite being high-value targets, many healthcare providers operate with limited IT staff, outdated security tools, and growing compliance demands. Managing cybersecurity in this environment can feel overwhelming—especially for teams trying to balance patient care with risk management.
That’s where Blackswan Cybersecurity comes in.
Why Healthcare Chooses Blackswan
With years of experience working alongside hospitals, clinics, and healthcare systems, Blackswan understands the unique needs of healthcare providers. Our approach goes beyond basic protection—we deliver enterprise-grade security that’s scaled, simplified, and affordable for healthcare environments of all sizes.
Here’s how we help:
✅ 24/7/365 Monitoring, Detection, and Response from Our Texas-Based Cyber Fusion Center
Healthcare doesn’t stop, and neither do we. Our U.S.-based team of cybersecurity analysts monitors your environment around the clock—ready to detect and stop threats before they can disrupt patient care or compromise sensitive data.
✅ Multi-Signal MDR + Open XDR: No Alert Fatigue, Just Results
Our managed detection and response (MDR) service combines machine learning, behavioral analytics, and threat intelligence across multiple data streams (network, endpoint, cloud, identity). With Stellar Cyber’s Open XDR platform, we correlate and analyze everything—so you’re not flooded with false positives. You only hear from us when it matters.
✅ Compliance-Ready: Supporting HIPAA, HITECH & More
From logging and reporting to breach detection and incident response, our solutions help healthcare organizations stay aligned with compliance frameworks. We also offer vCISO services to help you build and maintain a strategic security program with clear documentation, policies, and executive support.
✅ Rapid Containment = Operational Resilience
Our average mean time to contain threats is under 15 minutes. That means ransomware, phishing attempts, or insider threats are stopped before they become system-wide failures or compliance headaches.
✅ Expert-Led Cyber Strategy with a Human Touch
We don’t just install tools—we act as an extension of your team. From onboarding through incident response, you’ll have direct access to cybersecurity experts who understand your business and communicate in terms that make sense to clinicians and executives alike.
One Partner. One Call. All-Inclusive Protection.
Healthcare providers don’t have the luxury of ignoring cybersecurity. From ensuring uptime of critical systems to protecting the privacy of patients, every second matters. That’s why so many healthcare organizations are turning to Blackswan for help.
Whether you’re a rural clinic with limited IT staff or a growing health system seeking greater visibility and control, Blackswan delivers the protection, expertise, and peace of mind you need—without the enterprise price tag.
Let’s protect your patients, your data, and your mission—together.
📞 Book a 15-minute call today to see how Blackswan Cybersecurity can support your healthcare organization.
by jdpoteet | May 6, 2025 | News, Blogs
A recent GitHub supply chain compromise sent shockwaves through the developer community, reinforcing the urgent need for stronger cybersecurity hygiene, especially around third-party automation tools. The attack targeted a widely used GitHub Action known as tj-actions/changed-files, which was compromised to leak sensitive credentials from over 23,000 repositories.
The breach, first detected by StepSecurity on March 14, involved an attacker gaining access to a GitHub automation account. By modifying the code within the Action, the attacker exposed developer “secrets” like API tokens, encryption keys, and passwords to public logs—a severe threat to both security and trust across software supply chains.
Although GitHub has since removed and restored the tool after eliminating the malicious code, the incident highlights a fundamental vulnerability in the open-source ecosystem: reliance on unaudited third-party tools. As Varun Sharma of StepSecurity noted, this incident could open the floodgates to a rise in credential-based supply chain attacks.
This is where Blackswan Cybersecurity steps in. With over 30 years of experience and a proven record of protecting both public and private organizations, we specialize in supply chain risk management, threat detection, and continuous monitoring. Our 24/7 Cyber Fusion Center, powered by Managed Detection and Response (MDR), actively monitors for suspicious activity and enables real-time responses to credential misuse and code injection threats.
From public education and municipalities to industries such as automotive, legal, and other SMBs that are targeted due to limited internal security teams—our right-sized, cost-effective solutions offer enterprise-grade protection without the complexity. Maintaining secure software development pipelines is crucial to operational continuity and customer trust.
Key Takeaways:
- Always vet third-party Actions or Packages before integrating them into your workflow.
- Regularly rotate and audit exposed credentials.
- Implement real-time monitoring and automated detection systems.
Let Blackswan help you safeguard your software supply chain. Our proactive, AI-enhanced defenses ensure that your repositories, cloud services, and infrastructure stay protected against the next wave of sophisticated attacks.
Reference:
by jdpoteet | May 4, 2025 | Flyers, Blogs
Cybercriminals are no longer wasting time breaking through firewalls. Instead, they’re exploiting the weakest point in most environments: identity.
From compromised email credentials to lateral movement in cloud platforms, identity-based attacks are now the go-to tactic—and they’re growing fast.
At Blackswan Cybersecurity, our Endpoint Detection and Response (EDR) solution powered by Huntress is built to stop these attacks before they escalate. We provide real-time detection, rapid containment, and deep visibility into suspicious behavior—because identity is no longer just a user account. It’s your new attack surface.
Over 600 IT security professionals were surveyed to learn how identity threats are impacting their organizations, what defenses they’re deploying, and what they’re planning next.
Download the infographic to see the trends, insights, and strategies shaping the future of identity protection.
by jdpoteet | Apr 30, 2025 | News, Blogs
Addressing Key Cyber Risks in Education — And How to Stay Ahead
Introduction
As education continues its digital evolution, schools and districts are increasingly vulnerable to cyber threats. From student data privacy concerns to ransomware incidents, the stakes are high—and attackers know it. Navigating this complex landscape requires more than tools; it demands a partner with a deep understanding of K–12 security challenges. That’s where Blackswan Cybersecurity steps in. With decades of experience serving the education sector, we offer tailored, around-the-clock protection through our Cyber Fusion Center, Open XDR platform, and vCISO advisory services.
1. Data Privacy: A Foundational Challenge
Educational institutions are stewards of vast volumes of sensitive student and staff data. A single breach can erode trust and trigger legal consequences. At Blackswan, we help districts stay compliant with FERPA and other data privacy laws by implementing custom, scalable data governance frameworks—paired with our MDR (Managed Detection and Response) services for continuous protection.
2. Phishing & Social Engineering
Phishing remains one of the top threat vectors in schools. Staff and students are often targeted with convincing lures. Blackswan deploys behavior-based threat detection through Open XDR, while our vCISO services conducts needs assessments, provides guidance, and delivers specialized training programs and phishing simulations to build a culture of cybersecurity awareness.
3. Ransomware Resilience
Ransomware attacks can bring learning to a standstill. Our 24/7 Cyber Fusion Center proactively hunts threats before they escalate, while our incident response playbooks—designed specifically for schools—ensure rapid containment and recovery with minimal disruption.
4. IoT & BYOD Risks
With more connected devices in classrooms than ever, visibility is crucial. Blackswan’s unified threat management platform offers real-time device monitoring and policy enforcement across diverse device types—whether it’s district-issued Chromebooks or student-owned phones.
5. Insider Threats
Not all threats come from the outside. Our Open XDR platform integrates behavioral analytics to detect anomalies caused by insider misuse, while access reviews and policy audits are a core part of our vCISO strategic roadmap engagements.
Conclusion
Cyber threats in education are evolving—but so are the defenses. Blackswan Cybersecurity stands at the forefront, helping schools and districts build cyber maturity, meet compliance, and protect their communities. Whether you need 24/7 monitoring, expert-led strategy, or real-time response, we’re here to keep learning safe.
