Here we go again! Students, teachers dragged in to another breach

This time the company is called Power School. Apparently, they’re no better than the other school districts who collect needless information on students which may include in certain cases, social security numbers.

I can’t stress this enough! If you don’t need the SSN for anything, don’t collect it!

The problem with the numbers within this article is that its not known. This seems to me to be a rough estimate.

hacker in a school

PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that provides tools for enrollment, communication, attendance, staff management, learning systems, analytics, and finance.

The article continues:

Using this access, the threat actor utilized a customer support maintenance access tool to download student and teacher data from districts’ PowerSIS databases.

As first reported and seen by BleepingComputer, an FAQ stated that sensitive information, such as Social Security Numbers, medical information, and grades, was stolen for a subset of students impacted by the breach.

Why the fuck are you even collecting that data to begin with, you stupid fucks! This is a district issue, not power school directly.

And let me guess. The database was not password protected, knowing it contained sensitive information like SSN’s which may be needed for the employees. But my question still stands. Why the hell are you districts still collecting information on students which are sensitive?

I do have to give the company credit though, they seem to be transparent in their reporting, unlike some of the other companies we’ve covered through the years of this podcast.

I think this will be the second star we’ve given to a company for reporting things as they had it available. The second in 4 years and change of this podcast. Doesn’t look good, does it?

According to multiple sources, the threat actor behind the PowerSchool attack claimed to have stolen the data of 6,505 school districts in the US, Canada, and other countries in an extortion demand to the company.

So … who is the actor? I never saw any potential threat group or person’s name mentioned. Is that still not known?

In total, BleepingComputer was told that the PowerSchool data breach impacted 62,488,628 students and 9,506,624 teachers.

Seriously? And while the article says it covers both Canada and U.S. entities, Canada may be more because of how they operate.

Here in list form is what may have been taken. This was originally in table format with district, students and teachers as the headings.

  • Toronto District School Board 1,484,733 students 90,023 teachers
  • Peel District School Board 943,082 students 39,693 teachers
  • Dallas Independent School District 787,212 students 79,718 teachers
  • Calgary Board of Education 593,518 students 133,677 teachers
  • Memphis-Shelby County School 485,087 54,501
  • San Diego Unified 472,278 students Possibly not stolen for teachers
  • Charlotte-Mecklenburg Schools 467,974 students 57,486
  • Wake County Public School 461,005 students 92,783 teachers

So only in one instance, do we find that the teacher info may not have been taken. That’s fucking refreshing, isn’t it?

It should be noted that the numbers for Canadian school boards tend to be larger than US school districts as the boards govern all of the schools in a specific region in Canada.

The company thinks its actually not all that bad.

PowerSchool says that school districts decide what information is stored in the SIS database based on their district or State policy requirements. For this reason, it is expected that less than a quarter of impacted students had their Social Security Number exposed in the breach.

I’d love to see whether they actually right or not.

This may be a bigger problem as they have cloud and on sight services, and they have to check with those on sight people to see if data was taken.

The company also said that they have both cloud-based and on-premise PowerSchool SIS customers. For those districts self-hosting their databases, the data review is more complicated as they require the district to share information for analysis.

They’ll give students and teachers 2 years of protection regardless of whether they were affected by the breach, says the article.

PowerSchool hacker claims they stole data of 62 million students is the article. Have fun with this one!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.