PowerSchool, a provider of K-12 software and cloud solutions, had a breach over the holidays.
-
@[email protected] @[email protected] I (un)fortunately live in a state where it is downright illegal to store preferred names in SIS. the only way that would happen is if a student has undergone a legal name change in which case this would already be public record. If that makes you feel any better...
-
@[email protected] this client has transgender students and i have to keep their emails strictly their legal name. it hurts me.
-
@[email protected] the awkwardness of a student walking into my office asking for a password reset, me asking their nameā¦ searching our systemā¦ not getting a resultā¦ telling them I canāt find them and then hearing the pain in their voice "oh, try $NAMEā¦" Itās not exactly easy to do this to trans students
-
@[email protected] breaks my heart every time because they get super timid and worried that Iām gonna judge them or yell at them itās not fun
-
@puppygirlhornypost2 @briankrebs Some SIS also store bank and/or credit card data to automatically bill for tuition, lunch, after school programmes.
Some also have fundraising/development modules storing lists of donors and donations.
Itās a cesspool of radioactive data. -
@[email protected] @[email protected] good point! I was thinking more of terms around a specific client. We have an outside vendor for catering and their system manages the lunch accounts. I completely forgot that use case for SIS. Thanks for pointing it out because yeah, some schools absolutely have everything in one basket.
-
@briankrebs Having worked in IT for two different school districts, this is incredibly frustrating. Often understaffed and underfunded, districts rely on services like these to help manage the load. Yet these services are run by the "why would a thief lie" crowd.
-
Sam šš§šāØ (she/they) :bi:replied to Amber last edited by
@[email protected] @[email protected] love that i find out about this from fedi and not my actual job at school using powerschool
-
@briankrebs To everyone who is aghast that they believe the hackers, they probably don't, but that's the line that they are holding. K12 private equity is not much different than corporate...
-
@briankrebs The sarcasm is strong in this one.
-
@briankrebs I assume the video showed them destroying their floppy disks, right?
-
Started poking at this PowerSchool breach a bit more. Constella Intelligence finds a shocking number of infostealer infections (some quite recent) from people w/ powerschool.com email addresses.
Meanwhile, this breach is likely to involve quite a bit of very detailed information gleaned from their users (students). Last year, PowerSchool was hit by two class action lawsuits that alleged "the defendant companies, through persistent digital surveillance, harvest vast troves of sensitive information from children and their families without their knowledge or consent. The companies are alleged to use that information for commercial purposes in violation of familiesā privacy, property, and consumer rights."
"The named plaintiffs are the parents of students who have used these platforms, on behalf of themselves and their children. The parents argue that, simply by sending their children to school as the law requires, they do not surrender their rights to know what information private companies are taking from their children and how it will be usedāand to decide whether to agree to that collection and use."
https://edtech.law/wp-content/uploads/2024/05/complaint-powerschool.pdf
https://edtech.law/wp-content/uploads/2024/05/complaint-ixl.pdf
-
An update from a school district in Winston-Salem, NC on the fallout from the PowerSchool breach. Love how they also use weasel words "steps were taken" to euphemize "they paid."
Not for nothing, but Winston-Salem is still recovering from its own ransomware attack over the holidays. This is fine.
"Hello Winston-Salem Forsyth County Schools families and staff,
Tuesday afternoon, the state of North Carolinaās student information system provider, PowerSchool, notified the district that an unauthorized party gained access to its system. School systems across the state, nation and world were impacted, including WS/FCS. Information about WS/FCS students, families and staff was accessed during this incident.
The incident is under investigation by PowerSchool, federal law enforcement, and NC Department of Public Instruction officials. PowerSchool reported that steps were taken to prevent the data from further misuse and the company believes the data has been deleted. According to PowerSchool, the incident is contained and they do not anticipate the data being shared or made public. Law enforcement officials are monitoring to ensure the information has not been spread or shared.
We are working closely with PowerSchool and NC DPI to identify what information was accessed and to determine what steps will be taken by PowerSchool to support any individual whose data has been breached.
NC DPI says there was no action WS/FCS could have taken to prevent this incident, which happened at the company level.
PowerSchool is a web-based platform school systems are required by North Carolina to use to maintain student and staff data. Protecting student and staff information is critically important, and we take this issue seriously.
We will keep families and staff informed as we receive more information from PowerSchool and NC DPI.
Thank you for your patience as we and our school district colleagues across the world work through this situation.
- WS/FCS"
-
@briankrebs got the email from my daughterās school, we got hit with the Power School breach.
-
@briankrebs From my sonās schoolā¦. PowerSchool has informed us that they have taken action with the hackers to ensure the unauthorized data was deleted without any further replication or dissemination. They do not anticipate any of the data being shared or made public and are working with cybersecurity experts and law enforcement to ensure ongoing data safety.
(LOL ātaken action with the hackers to ensureā¦ data deletedā )
