PowerSchool, a provider of K-12 software and cloud solutions, had a breach over the holidays.
-
@briankrebs The people with morals low enough to hack children’s information are definitely trustworthy enough to not have made backups or faked their deletion video, right? Right??
-
@briankrebs I, too, can make a recording of me deleting data. I just won't record myself making a copy of the data as well...
-
P [email protected] shared this topic
-
@[email protected] I contract for education in the United States and I'd like to take a moment to remind everyone...
SIS (Student Information Services) stores not only your grades, your transcript, your demographics (think, address, emergency contacts) but also medical records (In the united states schools are mandated to have a copy of your vaccination history). So this might sound not that bad but what the hackers had access to...
Grades
Transcripts
Vaccination records
Home Addresses
Parents (including their phone number)
Emergency contacts
Email addresses
and that's just the surface it really depends on a lot of other factors but this is what i know off the top of my head. -
@[email protected] We're also talking about potentially things like proof of residence (birth certificates, utility bills and so on). So like this is not your run of the mill "facebook hacked they have your email address and phone number" this is pretty fucking bad
-
@[email protected] honestly I'm in awe because what the actual fuck lol??? they have confidence this threat actor deleted the gold mine of treasures.
-
@puppygirlhornypost2 @briankrebs
This is the crap I had to use to register my kid at school. They (PowerSchool) have proof of income, my drivers license, my mortgage statement, my kid's birth certificate, vaccination records, and so so so much more information than you would think.
-
@[email protected] @[email protected] yeah i forgot about the proof of residency and then i remembered. it's really bad, this is really really bad.
-
@[email protected] @[email protected] And on top of it some students could potentially be outted by deadnames / old gender markers in previous paperwork or medical records.
-
@[email protected] @[email protected] I (un)fortunately live in a state where it is downright illegal to store preferred names in SIS. the only way that would happen is if a student has undergone a legal name change in which case this would already be public record. If that makes you feel any better...
-
@[email protected] this client has transgender students and i have to keep their emails strictly their legal name. it hurts me.
-
@[email protected] the awkwardness of a student walking into my office asking for a password reset, me asking their name… searching our system… not getting a result… telling them I can’t find them and then hearing the pain in their voice "oh, try $NAME…" It’s not exactly easy to do this to trans students
-
@[email protected] breaks my heart every time because they get super timid and worried that I’m gonna judge them or yell at them it’s not fun
-
@puppygirlhornypost2 @briankrebs Some SIS also store bank and/or credit card data to automatically bill for tuition, lunch, after school programmes.
Some also have fundraising/development modules storing lists of donors and donations.
It’s a cesspool of radioactive data. -
@[email protected] @[email protected] good point! I was thinking more of terms around a specific client. We have an outside vendor for catering and their system manages the lunch accounts. I completely forgot that use case for SIS. Thanks for pointing it out because yeah, some schools absolutely have everything in one basket.
-
@briankrebs Having worked in IT for two different school districts, this is incredibly frustrating. Often understaffed and underfunded, districts rely on services like these to help manage the load. Yet these services are run by the "why would a thief lie" crowd.
-
@[email protected] @[email protected] love that i find out about this from fedi and not my actual job at school using powerschool
-
@briankrebs To everyone who is aghast that they believe the hackers, they probably don't, but that's the line that they are holding. K12 private equity is not much different than corporate...
-
@briankrebs The sarcasm is strong in this one.
-
@briankrebs I assume the video showed them destroying their floppy disks, right?
-
Started poking at this PowerSchool breach a bit more. Constella Intelligence finds a shocking number of infostealer infections (some quite recent) from people w/ powerschool.com email addresses.
Meanwhile, this breach is likely to involve quite a bit of very detailed information gleaned from their users (students). Last year, PowerSchool was hit by two class action lawsuits that alleged "the defendant companies, through persistent digital surveillance, harvest vast troves of sensitive information from children and their families without their knowledge or consent. The companies are alleged to use that information for commercial purposes in violation of families’ privacy, property, and consumer rights."
"The named plaintiffs are the parents of students who have used these platforms, on behalf of themselves and their children. The parents argue that, simply by sending their children to school as the law requires, they do not surrender their rights to know what information private companies are taking from their children and how it will be used—and to decide whether to agree to that collection and use."
https://edtech.law/wp-content/uploads/2024/05/complaint-powerschool.pdf
https://edtech.law/wp-content/uploads/2024/05/complaint-ixl.pdf
