School Districts Unaware BoardDocs Software Published Their Private Files via @mkeierleber https://www.the74million.org/article/school-districts-unaware-boarddocs-software-published-their-private-files/ #edtech #edusec #boarddocs @PogoWasRight @brett @funnymonkey
You may know this already, but in case you didn't: Threat actors have leaked some data from 2 more K-12 public school districts this week:
Some personal info on students at Coweta County School System was leaked by Nitrogen as proof of claims. I googled the parent information and found an exact match for name, address, and phone number.
Data from Kalamazoo Public School District was leaked by InterLock. InterLock claimed to have acquired 1,420 GB of data consisting of 724,477 Files and 82,820 Folders. It looks like they leaked it all but I didn't attempt to validate any data.
School District of Philadelphia paid nearly $700,000 to bad actors in cyber fraud scheme
https://www.cbsnews.com/philadelphia/news/school-district-of-philadelphia-cyber-fraud-scheme-scam/ #edtech #edusec @PogoWasRight @brett @funnymonkey
That's not accurate. The Information's wording and organization may have confused people.
Para 5 in the Information is about Employee 1, a contractor who worked for PowerSchool. The Information does not say Employee 1 was a telco (Victim 1) employee or that their PS credentials were acquired as part of the telco breach. Para 5 is unrelated to Para 4.
The Employee 1 creds used to access PowerSchool were acquired at a separate time and unrelated to the telco breach. I confirmed that with a source with knowledge of the incident.
The Information: https://www.justice.gov/usao-ma/media/1400921/dl
Also of note: the Information makes no mention of the second round of extortion attempts, which may mean that DOJ had no evidence connecting Lane to the second set of extortion demands. The second round of extortion demands purported to be from "ShinyHunters," but whether they really were or not has yet to be publicly confirmed or refuted by law enforcement.
@scottwilson I had the same reaction. I even emailed the Media contact for the Massachusetts USAO to ask why the information included enhanced sentences for use of "special skills" and use of "sophisticated means" under USSG § 3Bl.3 and USSG § 2B 1.1(b )(1 0)(C)), respectively.
What "special skills?"
What "sophisticated means?"
I suspect they won't really answer me, but... I had to ask.
#databreach #PowerSchool #EduSec #cybersecurity
UPDATING: The USAMA responded:
"The only information we can provide is that publicly available in the court filings - which are linked in the press release. Apart from that we have no comment. Thank you. "
Someone find me a good "shocked look" emoji, please.
Massachusetts hacker to plead guilty to PowerSchool data breach:
Related:
DOJ Press release: https://www.justice.gov/usao-ma/pr/worcester-college-student-plead-guilty-cyber-extortions
USA v. Matthew D. Lane - Information: https://www.justice.gov/usao-ma/media/1400921/dl
USA v. Matthew D. Lane - Plea Agreement:
https://www.justice.gov/usao-ma/media/1400926/dl
Don't procrastinate if you were affected:
Citizens whose SSN was compromised in the MOVEit breach at the National Student Clearinghouse (NSC) have until May 26, 2025, to file a claim to be part of the $9.95 million class action settlement.
Eligible individuals are those whose Social Security number was included in the files affected by the MOVEit security incident between May 28 and May 31, 2023. See more details and access the claim form at the official settlement website: https://nscsettlement.com/
Some useful advice here: PowerSchool Data Breach Developments https://www.edtechirl.com/p/powerschool-data-breach-developments #edtech #edusec #powerschool @PogoWasRight @funnymonkey @brett
Today's reminder why NOT to pay criminals' extortion demands to delete data:
PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway
NOTE: I subsequently edited my post to clarify that the ransom demand to the state (North Carolina) claimed to be from ShinyHunters. I haven't yet seen any ransom notes to individual districts and I do not know how those were signed or claimed. Stay tuned, I guess....
#PowerSchool #hack #EduSec #EdTech #extortion #databreach
@douglevin @funnymonkey @mkeierleber @brett @euroinfosec @jgreig
@lavxnews It's time people stopped claiming that breaches that have occurred over and over again for years are a "wake up call" for anything. Every sector has had "wake up calls" galore, including the education sector. Nobody woke up. Nobody is still waking up. Instead of a headline calling a breach a "wake up call," maybe the headline should be "Yet another avoidable breach will lead to a major lawsuit."
Santa Fe ISD parents are concerned about data security after 'cyber event' disrupts campus network https://abc13.com/post/santa-fe-isd-working-fix-network-issues-cyber-event-disrupts-internet-phone-service-campus/16242442/ #edtech #edusec @PogoWasRight @brett @funnymonkey
Baltimore City Public Schools ramping up cybersecurity measures after data breach https://www.cbsnews.com/baltimore/news/baltimore-city-public-schools-cybersecurity-breach-maryland/ #edtech #edusec @PogoWasRight @brett @funnymonkey
Rainbow District School Board still doesn't provide answers to reasonable questions about its cyberattack, claiming exemptions under relevant Ontatio municipal freedom of information law:
Hackers breach 62 US colleges by allegedly exploiting Ellucian Banner Web flaw
https://securityaffairs.com/88696/breaking-news/llucian-banner-web-flaw.html #edtech #edusec @PogoWasRight @boblord @brett @funnymonkey
Smiley calls for data sharing once Providence gets its schools back from state:
Direct link to Providence's plan: https://www.providenceri.gov/wp-content/uploads/2025/04/Providence-PPSD-Transition-Plan.pdf Pages 51-56 seem to be about data management.
Fall River schools chief: No insurance for cyberattack; says computer system remains down:
Could Trump Budget Cuts Lead to More Cyberattacks Against Schools? (tl;dr YES)
https://archive.ph/GaGhr #edtech #edusec @PogoWasRight @brett @funnymonkey
Sensitive data was leaked in 2024 Highline Public Schools ransomware attack https://www.seattletimes.com/education-lab/sensitive-data-was-leaked-in-2024-highline-public-schools-ransomware-attack/ #edtech #edusec @PogoWasRight @brett @funnymonkey
Takeaways from our investigation on AI-powered school surveillance. The AP and Seattle Times teamed up on this investigation.
From their overview: "But these tools raise serious questions about privacy and security. In fact, when The Seattle Times and The Associated Press partnered to investigate school surveillance, reporters inadvertently received access to almost 3,500 sensitive, unredacted student documents through a records request. The documents were stored without a password or firewall, and anyone with the link could read them."
It's silly season again: "82% of K-12 schools recently experienced a cyber incident" - a number that is both too high and too low, depending on what we think we are counting... Brought to you by the folks who claim U.S. K-12 is the #1 cyber target on the planet https://www.k12dive.com/news/k-12-schools-experienced-cyber-incident-cis/741915/ #edtech #edusec @PogoWasRight @brett @funnymonkey
