Replied to Doug Levin
So they wouldn't have committed without that "engagement?"
#PowerSchool #EduSec #databreach
"We take your privacy and security very seriously... when we have to," admitted no entity, ever.
#edusec
4 posts2 participants4 posts today
PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada https://www.priv.gc.ca/en/opc-news/news-and-announcements/2025/nr-c-20250722/ #edtech #edusec #powerschool @PogoWasRight @funnymonkey
Lexington-Richland School District Five provides update on June security breach https://www.wistv.com/2025/07/22/lexington-richland-school-district-five-provides-update-june-security-breach/ #edtech #edusec @PogoWasRight @funnymonkey
WIS News 10 · Lexington-Richland School District Five provides update on June security breach
The St. Lawrence Lewis Board of Cooperative Educational Services ("BOCES") in New York has reported a breach that impacted 10,993 people. The types of information involved included: SSN, name, address, DOB, tax identification number, medical information, and financial account information.
The "cybersecurity incident" was discovered on August 12, 2024 and just reported this week to the Maine Attorney General's Office, although letters were sent out to those affected in June.
www.maine.govOffice of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches
The Clearbrook-Gonvick School District in Minnesota has disclosed a breach that occurred in October 2024. The types of information involved included names, Social Security numbers, driver's license or state ID numbers, individual taxpayer identification numbers, financial account information, and student identification numbers.
markets.financialcontent.com · Notice of Data Privacy IncidentNotice of Data Privacy Incident
$1.8 million stolen from Broken Bow Public Schools in phishing scam https://ruralradio.com/kuvr/news/1-8-million-stolen-from-broken-bow-public-schools-in-phishing-scam/ #edtech #bec #edusec @PogoWasRight @brett @funnymonkey
KUVR · $1.8 million stolen from Broken Bow Public Schools in phishing scamBROKEN BOW – Broken Bow Public Schools announced Monday that a cybersecurity breach resulted in a $1.8 million payment being directed to a fraudulent account. According to a release…
Hackers may have had access to Fall River schools' data for months before cyberattack https://www.heraldnews.com/story/news/2025/06/25/fall-river-schools-cyberattack-suspicious-activity-months-before-ransomware/84359211007/ #edtech #edusec @PogoWasRight @brett @funnymonkey
Fall River Herald News · Hackers may have had access to Fall River schools' data for months before cyberattack
Breaches have consequences (sometimes):
"On Monday, the North Carolina State Board of Education approved a six-month, roughly $270,000 contract with PowerSchool for professional evaluations and onboarding services. The contract, NCDPI noted, isn’t related to the student information system, which was hacked in December. That system’s contract will expire at the end of June and won’t be renewed."
https://www.wect.com/2025/06/25/ncdpi-renews-contract-with-powerschool-after-massive-data-breach/
WECT · NCDPI renews contract with PowerSchool after massive data breach
You may know this already, but in case you didn't: Threat actors have leaked some data from 2 more K-12 public school districts this week:
Some personal info on students at Coweta County School System was leaked by Nitrogen as proof of claims. I googled the parent information and found an exact match for name, address, and phone number.
Data from Kalamazoo Public School District was leaked by InterLock. InterLock claimed to have acquired 1,420 GB of data consisting of 724,477 Files and 82,820 Folders. It looks like they leaked it all but I didn't attempt to validate any data.
Replied in thread
That's not accurate. The Information's wording and organization may have confused people.
Para 5 in the Information is about Employee 1, a contractor who worked for PowerSchool. The Information does not say Employee 1 was a telco (Victim 1) employee or that their PS credentials were acquired as part of the telco breach. Para 5 is unrelated to Para 4.
The Employee 1 creds used to access PowerSchool were acquired at a separate time and unrelated to the telco breach. I confirmed that with a source with knowledge of the incident.
The Information: https://www.justice.gov/usao-ma/media/1400921/dl
Also of note: the Information makes no mention of the second round of extortion attempts, which may mean that DOJ had no evidence connecting Lane to the second set of extortion demands. The second round of extortion demands purported to be from "ShinyHunters," but whether they really were or not has yet to be publicly confirmed or refuted by law enforcement.
Replied in thread
@scottwilson I had the same reaction. I even emailed the Media contact for the Massachusetts USAO to ask why the information included enhanced sentences for use of "special skills" and use of "sophisticated means" under USSG § 3Bl.3 and USSG § 2B 1.1(b )(1 0)(C)), respectively.
What "special skills?"
What "sophisticated means?"
I suspect they won't really answer me, but... I had to ask.
#databreach #PowerSchool #EduSec #cybersecurity
UPDATING: The USAMA responded:
"The only information we can provide is that publicly available in the court filings - which are linked in the press release. Apart from that we have no comment. Thank you. "
Someone find me a good "shocked look" emoji, please.
Massachusetts hacker to plead guilty to PowerSchool data breach:
Related:
DOJ Press release: https://www.justice.gov/usao-ma/pr/worcester-college-student-plead-guilty-cyber-extortions
USA v. Matthew D. Lane - Information: https://www.justice.gov/usao-ma/media/1400921/dl
USA v. Matthew D. Lane - Plea Agreement:
https://www.justice.gov/usao-ma/media/1400926/dl
Don't procrastinate if you were affected:
Citizens whose SSN was compromised in the MOVEit breach at the National Student Clearinghouse (NSC) have until May 26, 2025, to file a claim to be part of the $9.95 million class action settlement.
Eligible individuals are those whose Social Security number was included in the files affected by the MOVEit security incident between May 28 and May 31, 2023. See more details and access the claim form at the official settlement website: https://nscsettlement.com/
Today's reminder why NOT to pay criminals' extortion demands to delete data:
PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway
NOTE: I subsequently edited my post to clarify that the ransom demand to the state (North Carolina) claimed to be from ShinyHunters. I haven't yet seen any ransom notes to individual districts and I do not know how those were signed or claimed. Stay tuned, I guess....
#PowerSchool #hack #EduSec #EdTech #extortion #databreach
@douglevin @funnymonkey @mkeierleber @brett @euroinfosec @jgreig
@lavxnews It's time people stopped claiming that breaches that have occurred over and over again for years are a "wake up call" for anything. Every sector has had "wake up calls" galore, including the education sector. Nobody woke up. Nobody is still waking up. Instead of a headline calling a breach a "wake up call," maybe the headline should be "Yet another avoidable breach will lead to a major lawsuit."
Rainbow District School Board still doesn't provide answers to reasonable questions about its cyberattack, claiming exemptions under relevant Ontatio municipal freedom of information law:
Smiley calls for data sharing once Providence gets its schools back from state:
Direct link to Providence's plan: https://www.providenceri.gov/wp-content/uploads/2025/04/Providence-PPSD-Transition-Plan.pdf Pages 51-56 seem to be about data management.
Rhode Island Current · Smiley calls for data sharing once Providence gets its schools back from state - NewsBreak
Fall River schools chief: No insurance for cyberattack; says computer system remains down:
Fall River Herald News · Fall River schools chief: No insurance for cyberattack; says computer system remains down
Takeaways from our investigation on AI-powered school surveillance. The AP and Seattle Times teamed up on this investigation.
From their overview: "But these tools raise serious questions about privacy and security. In fact, when The Seattle Times and The Associated Press partnered to investigate school surveillance, reporters inadvertently received access to almost 3,500 sensitive, unredacted student documents through a records request. The documents were stored without a password or firewall, and anyone with the link could read them."
AP News · AI surveillance on school Chromebooks has security issues, investigation shows
What do you think about this report out of Umatilla? Is this PowerSchool or something unrelated? If they just discovered a breach this week?
https://www.vpnranks.com/news/umatilla-schools-data-breach-exposes-student-records/