Data Breaches

1517 readers

38 users here now

Information about data breaches, data leaks, ransomware attacks, and other related stories.

Companion communities

!cybersecurity@sh.itjust.works - centered on the cybersecurity and information security profession.

Icon attribution

If someone is interested in moderating this community, message @brikox@lemmy.zip.

founded 2 years ago

MODERATORS

BrikoX@lemmy.zip

PowerSchool hack exposes student, teacher data from K-12 districts (www.bleepingcomputer.com)

submitted 8 months ago* (last edited 8 months ago) by BrikoX@lemmy.zip to c/databreaches@lemmy.zip

8 comments fedilink hide all child comments

Education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.

top 8 comments

sorted by: hot top controversial new old

[–] thefartographer@lemm.ee 10 points 8 months ago

In response to the incident, the company engaged with third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the incident.

Oh good, I'm glad to see they're forming a fuckup club

[–] reddig33@lemmy.world 5 points 8 months ago (1 children)

PowerSchool is owned by Vista private equity partners.

https://en.m.wikipedia.org/wiki/Vista_Equity_Partners#2010%E2%80%932019_2

[–] Spacehooks@reddthat.com 1 points 8 months ago (1 children)

I take it they are jerks?

[–] reddig33@lemmy.world 3 points 8 months ago (1 children)

Dunno. I just thought it was interesting. It was at one time owned by Apple, though that was long ago and it has changed hands many times. It made me wonder if the company would have been more security conscious if they were still owned by a tech firm.

[–] Prox@lemmy.world 1 points 7 months ago

The answer is "no", because the market they serve (K12 schools) cares about security, but they don't care enough (or have the budget) to actually pay for it.

[–] Spacehooks@reddthat.com 2 points 8 months ago (1 children)

Lol its kind of funny you can just export all that sensitive data to a excel document and they didn't have rotating passwords

[–] wizardbeard@lemmy.dbzer0.com 2 points 8 months ago* (last edited 8 months ago) (1 children)

Exporting from almost any database software to Excel/spreadsheet/some other easily audited/human readable format is a pretty standard feature, is pretty useful for troubleshooting, and for ingesting into other tools and systems when there isn't some proper path through API.

That said, all of that private data should only be accessible in that form by a break-glass account properly secured with pass rotation.

But I know that there's probably 5 personal accounts at my workplace in our HR/Payroll software that could export the full data from it to Excel. A lot more that could export everything except the payroll info. Unfortunately that was a project that didn't involve any tech staff until four months before it was supposed to go live, and was configured entirely by a third party vendor "for security" and so we wouldn't peep other people's pay. That's all to say that something like this breach isn't super surprising to me.

[–] Spacehooks@reddthat.com 1 points 8 months ago

Good info!