If you look at the chain of operations inside the system, it appears roughly like this:

Entry: compromised support credential Execution: Maintenance Remote Support operations through the PowerSource support portal System of record: Student Information System (SIS) databases

The support account did not access customer data directly.

Instead, operations were executed through the PowerSource support interface, which could trigger actions against customer databases.

In effect, the support portal functioned as an execution mechanism for operations on production databases.

This makes the incident less about direct database access and more about the execution authority embedded in the support interface.