"PowerSchool said any adults affected would be receiving free credit monitoring, while minors would get subscriptions to an unnamed identity protection services biz..."
Hmmm, I wonder...
A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data – including some Social Security Numbers and medical info – stolen. PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including …
And there, my friend, lays the crux of the issue.
Minimum application of minimum requirements.
Having worked in a number of fields similar to this, the amount of executive push back, based only on cost I hasten to add, of substantial and commensurate security features, is shocking.
There is still a culture of "it'll never happen to us".
Cos if they did then the data breach might just have cured itself!
Makes me wonder what was the data being used for -- bragging rights or something more malicious? If malicious and over such a long period as suggested then surely there would be traces elsewhere -- ID theft issues, bank issues...
In any case someone somewhere should be getting marching orders for poor credential security.
FERPA https://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act has been around for literally 50 years. In order for one set of compromised credentials to access all of this info, FERPA was being violated big time in the course of their normal operations. FERPA is, of course, Federal. And even if it wasn’t, the fact that multiple states and multiple countries are involved would make it Federal.
There’s going to be blood…
PowerSchool may, depending on the school, stores the students name, address, contact info, address Social Insurance Number (SIN), Permanent Residency card number (PR) . In Canada that's plenty good enough to open bank accounts, credit cards, etc. etc. This is going to be a nightmare.
The actual letter sent to students and parents played all this down despite them saying elsewhere..
"PowerSchool SIS is a student information system (SIS) used to manage student records, grades, attendance, enrollment, and more."
"PowerSchool has confirmed that the stolen data primarily contains contact details such as names and addresses. However, for some districts, it could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades."
see..
Dear Valued Customer,
As the Technical Contact for your district or school, we are reaching out to inform you that on December 28, 2024, PowerSchool become aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals, PowerSource. Over the succeeding days, our investigation determined that an unauthorized party gained access to certain PowerSchool Student Information System (“SIS”) customer data using a compromised credential, and we regret to inform you that your data was accessed.
Please review the following information and be sure to share this with relevant security individuals at your organization.
As soon as we learned of the potential incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts. We have also informed law enforcement.
We can confirm that the information accessed belongs to certain SIS customers and relates to families and educators, including those from your organization. The unauthorized access point was isolated to our PowerSource portal. As the PowerSource portal only permits access to the SIS database, we can confirm no other PowerSchool products were affected as a result of this incident.
Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment. PowerSchool is not experiencing, nor expects to experience, any operational disruption and continues to provide services as normal to our customers.
Rest assured, we have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse. We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination.
We have also deactivated the compromised credential and restricted all access to the affected portal. Lastly, we have conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts.
PowerSchool is committed to working diligently with customers to communicate with your educators, families, and other stakeholders. We are equipped to conduct a thorough notification process to all impacted individuals. Over the coming weeks, we ask for your patience and collaboration as we work through the details of this notification process.
We have taken all appropriate steps to further prevent the exposure of information affected by this incident. While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.
In the coming days, we will provide you with a communications package to support you in engaging with families, teachers and other stakeholders about this incident. The communications package will include tailored outreach emails, talking points, and a robust FAQ so that district and school leadership can confidently discuss this incident with your community.
We understand that you may have additional questions as a result of this update. FAQs are available on PowerSchool Community. Additionally, we will be holding webinars with senior leaders, including our Chief Information Security Officer, to address additional concerns. Please click the link below to register for a webinar that fits your schedule. Note that content for all sessions will be identical, so you need only attend one.
Wednesday, January 8: REGISTER HERE
Thursday, January 9: REGISTER HERE
In the meantime, please reach out to your Customer Success Manager (CSM), Support, or other established PowerSchool contact should you have any questions. We will be sending communications later today to other stakeholders in your organization who are responsible for other PowerSchool products notifying them of no impact to the other PowerSchool products.
We are addressing the situation in an organized and thorough manner, and we are committed to providing affected customers with the resources and support they may need as we work through this together.
Thank you for your continued support and partnership.
Sincerely,
Hardeep Gulati
Chief Executive Officer
Paul Brook
Chief Customer Officer
cc: Mishka McCowan
Chief Information Security Officer
"The supplier did say this wasn't an attack involving ransomware"
"We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination".
I wonder how they can be so sure of this? It sounds to me like they've been talking to the perpetrators and reached a deal, ie. they've paid the ransom and trust the perps to delete (for what that's worth). There may not have been ramsomware involved but that doesn't mean they haven't paid the scumbags.
There should be people going to prison for this sort of thing. There's no opting out and often no information given to parents about the outside IT services a school might use. Staff may be unaware of the depth of information that might be kept in these systems as well as the companies attempt to be the One Ring to run everything in the same way Elon dreams of turning his company into a one-stop-shop for all of your financial and social media needs.