Friday, February 28

Children’s data hacked after school software firm missed basic security step, internal report says

According to school officials and cybersecurity experts, the hack of a corporation that assists schools in tracking tens of millions of pupils seems to be the worst leak of personal data involving American children to date.

Additionally, according to recordings of internal talks and a copy obtained exclusively by NBC News, a specifically commissioned interim cybersecurity investigation by cybersecurity firm CrowdStrike revealed that the corporation had reportedly neglected to take simple safeguards to protect student data.

One of PowerSchool’s most well-known products is the Student Information System (SIS), which was compromised and is among the most popular education technology packages in the United States. By gathering data such as a student’s name, school, birthday, residence, and parent or guardian, the SIS software assists school districts in monitoring K–12 children. Many districts go one step farther and include details like their disciplinary history, health issues, or Social Security number.

Since children typically have no control over how their data is safeguarded, it is considered especially terrible when it is stolen. Because cybercriminals frequently repackage and resell victims’ information, it can be challenging to establish a clear link between a specific data breach and a specific case of identity theft. However, a 2024 AARP study estimates that identity theft cost Americans almost $43 billion in 2023.

“We acknowledge the importance of this incident and deeply regret its occurrence,” stated Beth Keebler, a PowerSchool spokesman, in an email statement. Over the years, PowerSchool has made large investments in its cybersecurity program, culture, and personnel. This has been a focused and ongoing effort, and the company intends to keep making investments in this area.

If they are not paid a ransom, cybercriminals who steal confidential information frequently threaten to publicize it. Regarding any demand or payment for extortion, PowerSchool refuses to respond to NBC News. However, a person who answered the phone informed NBC News that Mishka McCowan, the company’s chief information officer, said the company had paid the hacker and had a video showing them seemingly erasing the stolen material during a private virtual meeting with clients.

Experts in cybersecurity warn that hackers sometimes change their minds about releasing data, and it’s hard to confirm that the hacker didn’t create backup copies.

See also  Rita Moreno Barbie honors the legendary actress and trailblazer

A hacker appeared to have complete access to the SIS data of the schools that had contacted customer service in December. Although not all of PowerSchool’s clients were affected, the hack seemed to have exposed the information of tens of millions of American kids. The hacker has stated that the number is 62 million, while precise figures are still unknown. Bleeping Computer, a computer news blog, was the first to report that amount.

The compromised data does not seem to be accessible to the general public online as of Thursday.

The corporation failed to take basic precautions to protect student data, according to private assessments of the incident. CrowdStrike, a cybersecurity company, was recruited by PowerSchool to assist with the breach investigation. There was no proof that the hackers had deployed malware or discovered a backdoor into PowerSchool’s systems, according to an interim assessment created by CrowdStrike and distributed to a few school administrators. The study’s contents had not been made public before and were later obtained by NBC News. Rather, the hacker only managed to get the password of one employee. This gave them access to a Maintenance Access feature that allowed them to download the personal data of millions of children.

The company did not even know it had been the target of such a large-scale breach until late December, a few days after it occurred, when the hacker contacted the company to notify it and request money, according to the CrowdStrike investigation.

Following industry norms, CrowdStrike chose not to comment.

An executive acknowledged in a private online chat with representatives from the company and the school that the hackers gained access to and downloaded the student records by using an account that lacked two-factor authentication, which is one of the most fundamental cybersecurity requirements for any account, especially one that holds sensitive data. A participant who wished to remain anonymous sent NBC News a screenshot of the conversation.

That is an example of inadequate security, but it is not unusual in the EdTech sector, according to Bill Fitzgerald, an independent security expert for schools.

Fitzgerald told NBC News that it’s simply not best practice to not enforce multifactor authentication. However, this occurs frequently.

See also  Russian airstrike on Kyiv kills at least three

Lax cybersecurity standards across what is known as EdTech—the sector of education-focused technology that schools increasingly rely on, particularly since the Covid-19 pandemic—were attributed by Doug Levin, national director of K12 SIX, a nonprofit organization dedicated to assisting schools in protecting themselves from hackers. Levin told NBC News that while the attack and the absence of protections were extreme, they were representative of the industry.

Referring to cybersecurity problems that beset the industry, he stated that it is unacceptable that neither K–12 schools nor their suppliers are held to a cybersecurity standard of practice for a sector that is so essential to the American way of life. The scope of this occurrence and the sensitive nature of the data make it unique.

A spokesperson for PowerSchool stated that the company was certain that fewer than 25% of students’ Social Security numbers were compromised, though that number could still be in the tens of millions. PowerSchool declined to provide specifics on the number of students impacted by the hack, citing its ongoing investigation.

Chief information officer Terry Loftus of the San Diego County Office of Education, which has seven districts that use PowerSchool, told NBC News that he was most worried about hackers getting access to other student data that some school districts store in SIS.

According to Loftus, we might be discussing impairments and the resources being made available to special education children. In terms of reselling to other malicious organizations or data brokers, this is extremely sensitive and valuable to threat actors.

Unless we hear differently, this will probably end up being the biggest breach of K–12 children as it stands right now, he told NBC News.

According to a press release from the company, in certain instances, the PowerSchool program also contained information about past students, and their personal data was also stolen.

Although usage of the SIS software varies by state, PowerSchool has statewide contracts with Alabama, North Carolina, and South Carolina; nonetheless, there is no official public accounting of its reach. Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Indiana, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah, and Wyoming are among the other states where schools have issued warnings to parents and students regarding the PowerSchool breach.

See also  29+ Cyber Monday deals to shop at Costco right now

According to Georgia broadcaster 11Alive, around 230,000 current students in the state may have been impacted, based on data from the state’s Department of Education.

School districts have cautioned that the hackers have stolen extremely precise data in certain instances. According to Utah Schools for the Deaf and the Blind, the hackers were able to obtain not only the names, birthdays, and grades of the pupils but also their locker numbers, combinations, and lunch account balances.

Schools are in the unfortunate position of relying on businesses like PowerSchool to protect their students’ private information, according to Sarah Powazek, director of the University of California, Berkeley’s public interest cybersecurity program, which provides cybersecurity assistance to civic organizations and schools that might not be able to afford it.

School districts are essentially powerless over this product, and they have no say in whether PowerSchool is following the right security protocols inside their own company. Powazek told NBC News that these instructional technology items have a significant influence over the schools.

PowerSchool has said in public that it goes to great lengths to guarantee excellent cybersecurity standards. CEO Hardeep Gulati attended then-First Lady Jill Biden at a White House EdTech cybersecurity event in 2023. According to the company’s website, it takes a long list of precautions to safeguard the data of students and teachers, such as regular security audits and comprehensive and continuous security/cybersecurity training for all staff members.

PowerSchool has committed to taking a number of fundamental measures to safeguard student data as part of another pledge made by the nonprofit Future of Privacy Forum. PowerSchool’s position as a signatory is presently being examined for possible infractions of the company’s Student Privacy Pledge agreements, a representative for the Future of Privacy Forum told NBC News.

Leave a Reply

Your email address will not be published. Required fields are marked *