$1.8 million stolen from Broken Bow Public Schools in phishing scam https://ruralradio.com/kuvr/news/1-8-million-stolen-from-broken-bow-public-schools-in-phishing-scam/ #edtech #bec #edusec @PogoWasRight @brett @funnymonkey
Hackers may have had access to Fall River schools' data for months before cyberattack https://www.heraldnews.com/story/news/2025/06/25/fall-river-schools-cyberattack-suspicious-activity-months-before-ransomware/84359211007/ #edtech #edusec @PogoWasRight @brett @funnymonkey
Breaches have consequences (sometimes):
"On Monday, the North Carolina State Board of Education approved a six-month, roughly $270,000 contract with PowerSchool for professional evaluations and onboarding services. The contract, NCDPI noted, isn’t related to the student information system, which was hacked in December. That system’s contract will expire at the end of June and won’t be renewed."
https://www.wect.com/2025/06/25/ncdpi-renews-contract-with-powerschool-after-massive-data-breach/
You may know this already, but in case you didn't: Threat actors have leaked some data from 2 more K-12 public school districts this week:
Some personal info on students at Coweta County School System was leaked by Nitrogen as proof of claims. I googled the parent information and found an exact match for name, address, and phone number.
Data from Kalamazoo Public School District was leaked by InterLock. InterLock claimed to have acquired 1,420 GB of data consisting of 724,477 Files and 82,820 Folders. It looks like they leaked it all but I didn't attempt to validate any data.
That's not accurate. The Information's wording and organization may have confused people.
Para 5 in the Information is about Employee 1, a contractor who worked for PowerSchool. The Information does not say Employee 1 was a telco (Victim 1) employee or that their PS credentials were acquired as part of the telco breach. Para 5 is unrelated to Para 4.
The Employee 1 creds used to access PowerSchool were acquired at a separate time and unrelated to the telco breach. I confirmed that with a source with knowledge of the incident.
The Information: https://www.justice.gov/usao-ma/media/1400921/dl
Also of note: the Information makes no mention of the second round of extortion attempts, which may mean that DOJ had no evidence connecting Lane to the second set of extortion demands. The second round of extortion demands purported to be from "ShinyHunters," but whether they really were or not has yet to be publicly confirmed or refuted by law enforcement.
@scottwilson I had the same reaction. I even emailed the Media contact for the Massachusetts USAO to ask why the information included enhanced sentences for use of "special skills" and use of "sophisticated means" under USSG § 3Bl.3 and USSG § 2B 1.1(b )(1 0)(C)), respectively.
What "special skills?"
What "sophisticated means?"
I suspect they won't really answer me, but... I had to ask.
#databreach #PowerSchool #EduSec #cybersecurity
UPDATING: The USAMA responded:
"The only information we can provide is that publicly available in the court filings - which are linked in the press release. Apart from that we have no comment. Thank you. "
Someone find me a good "shocked look" emoji, please.
Massachusetts hacker to plead guilty to PowerSchool data breach:
Related:
DOJ Press release: https://www.justice.gov/usao-ma/pr/worcester-college-student-plead-guilty-cyber-extortions
USA v. Matthew D. Lane - Information: https://www.justice.gov/usao-ma/media/1400921/dl
USA v. Matthew D. Lane - Plea Agreement:
https://www.justice.gov/usao-ma/media/1400926/dl
Don't procrastinate if you were affected:
Citizens whose SSN was compromised in the MOVEit breach at the National Student Clearinghouse (NSC) have until May 26, 2025, to file a claim to be part of the $9.95 million class action settlement.
Eligible individuals are those whose Social Security number was included in the files affected by the MOVEit security incident between May 28 and May 31, 2023. See more details and access the claim form at the official settlement website: https://nscsettlement.com/
Today's reminder why NOT to pay criminals' extortion demands to delete data:
PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway
NOTE: I subsequently edited my post to clarify that the ransom demand to the state (North Carolina) claimed to be from ShinyHunters. I haven't yet seen any ransom notes to individual districts and I do not know how those were signed or claimed. Stay tuned, I guess....
#PowerSchool #hack #EduSec #EdTech #extortion #databreach
@douglevin @funnymonkey @mkeierleber @brett @euroinfosec @jgreig
@lavxnews It's time people stopped claiming that breaches that have occurred over and over again for years are a "wake up call" for anything. Every sector has had "wake up calls" galore, including the education sector. Nobody woke up. Nobody is still waking up. Instead of a headline calling a breach a "wake up call," maybe the headline should be "Yet another avoidable breach will lead to a major lawsuit."
Rainbow District School Board still doesn't provide answers to reasonable questions about its cyberattack, claiming exemptions under relevant Ontatio municipal freedom of information law:
Smiley calls for data sharing once Providence gets its schools back from state:
Direct link to Providence's plan: https://www.providenceri.gov/wp-content/uploads/2025/04/Providence-PPSD-Transition-Plan.pdf Pages 51-56 seem to be about data management.
Fall River schools chief: No insurance for cyberattack; says computer system remains down:
Takeaways from our investigation on AI-powered school surveillance. The AP and Seattle Times teamed up on this investigation.
From their overview: "But these tools raise serious questions about privacy and security. In fact, when The Seattle Times and The Associated Press partnered to investigate school surveillance, reporters inadvertently received access to almost 3,500 sensitive, unredacted student documents through a records request. The documents were stored without a password or firewall, and anyone with the link could read them."
What do you think about this report out of Umatilla? Is this PowerSchool or something unrelated? If they just discovered a breach this week?
https://www.vpnranks.com/news/umatilla-schools-data-breach-exposes-student-records/
Here's another Canadian school that had decades of student data caught up in the PowerSchool breach:
Wellington Catholic District School Board:
https://www.wellingtonadvertiser.com/cybersecurity-breach-involves-29-years-of-catholic-school-board-data/
@douglevin @funnymonkey @brett
American School of Dubai mentioned as having been affected: https://www.dmnews.com/school-districts-worldwide-impacted-by-powerschool-breach/
I must have missed something. I thought PowrerSchool hit US and Canada. It also hit some Bermuda schools?
"Ms Richards said the company confirmed the breach included “data from some Bermuda public schools families and teachers”."
@douglevin @funnymonkey @mkeierleber
So I could be wrong, but I think the only way they may be able do that for minor kids who don't have a credit report already is to have Experian create a credit report for the minor which they then monitor.
So now your kid has a credit report, which they never should have had as a minor, and what happens after two years when Experian stops monitoring it?
Has anyone asked them about that?
Well, smart move by PowerSchool on this: "PowerSchool will be offering two years of complimentary identity protection services for all students and educators whose information was involved and will also be offering two years of complimentary credit monitoring services for all adult students and educators whose information was involved. We are doing this regardless of whether an individual’s Social Security Number was exfiltrated."
