Yet another data breach travesty has befallen us. PowerSchool has admitted to a massive data breach by telling customers that it experienced a “cybersecurity incident” allowing hackers to compromise the personal data of students and teachers in K-12 school districts across the United States and beyond.
Recently acquired by Bain Capital PowerSchools is considered the largest cloud-based education software for provider for K-12 education in the U.S. According to its website the company serves more than 75 percent of students in North America. PowerSchool claims its software is used by over 18,000 customers to support more than 60 million students in the United States. In total the company claims it serves over 60 million students and more than 18,000 customers in nearly 100 countries.
On December 28th PowerSchool discovered had hackers successfully breached its PowerSource customer support portal. The compromise allowed hackers access to the company’s school information system, PowerSchool SIS, which is used to manage student records, grades, attendance, and enrollment. The letter said the company’s investigation found the hackers gained access “using a compromised credential.”
According to Bleeping Computer PowerSchool said it was not a ransomware attack. However the company was extorted into paying a financial sum to prevent the hackers from leaking the stolen data. (For the record that’s the very definition of a ransomware attack.) How much PowerSchool paid was not revealed. The company did say that names and addresses were exposed in the breach but that the information may also include Social Security numbers, medical information, grades, and other personally identifiable information.
Bleeping Computer’s sources said that the hackers responsible for the breach allegedly accessed the personal data of more than 62 million students and 9.5 million teachers. PowerSchool declines to confirm these numbers.
Breaking It Down
Now that we know what happened we can ask why. First, how much medical information does this company need to develop and deliver educational software? One of the biggest problems in the tech industry and business in general, is the unnecessary collection of personal information. Why does this company need student social security numbers? I am sure the company may have some justification for it but I can’t see it. Neither can I see the company asking for student medical information. I’ll let them explain that.
Another common problem when we hear about these data breaches is the poor security around the data. This more than just a common problem its an epidemic of carelessness that should punishable by prison time.
PowerSchool spokesperson Beth Keebler added insult to injury by telling TechCrunch the PowerSource portal did not support multi-factor authentication at the time of the incident, while PowerSchool did. When it come to sensitive information multi-factor authentication is a standard tool for security and privacy across all resources.
And get this; PowerSchool paid the hackers but have no guarantee that the data stolen was actually deleted. They actually trusted the hackers to do as they promised. Keebler told TechCrunch that the company “does not anticipate the data being shared or made public” and that it “believes the data has been deleted without any further replication or dissemination.” The company has neither confirmed nor denied that they have video evidence that the data was deleted.
Hey PowerSchool! Whether you paid them or not, do you really think the hackers destroyed information they can easily sell and there is nothing you can do about it? Give me a break!
