#PowerSchool hacker now extorting individual school districts

https://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/

PowerSchool, the cloud platform provider providing services to school boards across Canada & the US has confirmed that even though a ransom has been paid to the cybercriminals holding the data ransom & received assurances that the data was destroyed, the criminals have returned demanding for more money as they have not actually destroyed the data.

This unfortunately highlights the biggest risk when it comes to paying ransom for data destruction, threat actors can always come back demanding for more once they realize exactly how valuable the data is.

www.thestar.com/news/gta/student-data-obtained-in-a-cyberattack-on-gta-school-boards-was-supposed-to-be-destroyed/article_cf2901bb-3fcc-4f84-ad7b-32399076b7e5.html

#infosec #PowerSchool #PowerSchoolHack #ransom #TDSB #YRDSB #PDSB #Toronto #YorkRegion #PeelRegion #Ontario #Canada

#PowerSchool previously hacked in August, months before #DataBreach

https://www.bleepingcomputer.com/news/security/powerschool-previously-hacked-in-august-months-before-data-breach/

#PowerSchool #DataBreach affected 16,000 students in the #UK

https://techcrunch.com/2025/02/07/powerschool-data-breach-affected-16000-students-in-the-uk/

Rochester NY had 134,000 students and an unspecified number of staff members affected by the #PowerSchool #databreach. Here's their breach page:

https://www.rcsdk12.org/databreach

I'm not sure if this is the first that they are posting anything or alerting anyone.

@douglevin @funnymonkey

Data #breach hitting #PowerSchool looks very, very bad
#privacy #security

https://arstechnica.com/security/2025/01/students-parents-and-teachers-still-smarting-from-breach-exposing-their-info/

#PowerSchool data #breach victims say #hackers stole 'all' historical student and teacher data | TechCrunch
#privacy #hack

https://techcrunch.com/2025/01/15/powerschool-data-breach-victims-say-hackers-stole-all-historical-student-and-teacher-data/

A work in progress, but in lieu of communications directly from #PowerSchool, an unofficial FAQ on the latest cyber incident: https://www.k12six.org/news/powerschool-cyber-incident-faq #edtech #edusec @PogoWasRight @brett @funnymonkey

Holler with suggested additions, edits.

Database Tables of Student, Teacher Info Stolen From #PowerSchool In #Cyberattack - Slashdot
#privacy #security #pii #hack

https://yro.slashdot.org/story/25/01/10/2059204/database-tables-of-student-teacher-info-stolen-from-powerschool-in-cyberattack?utm_source=rss1.0mainlinkanon&utm_medium=feed

Lexington School District Four in SC reported that 15,894 residents were affected by the PowerSchool breach. The state reached out to districts on Jan. 8 to tell them what was known at that time.

The district filed this with the state today: https://www.consumer.sc.gov/sites/consumer/files/Documents/Security%20Breach%20Notices/2025/LexingtonSchoolDistrictFour.pdf

It appears to be a copy of what they have sent out to residents as a preliminary notification.

If memory serves, PowerSchool had told districts they would be giving them something for communications by the evening of the 8th. Did they ever do that? Or are the four bullets in the district's notification what #PowerSchool gave districts to use?

@douglevin @brett @funnymonkey

The first federal lawsuits against #PowerSchool were filed on Jan. 8 and Jan. 9. Bloomberg Law has more on this:

https://news.bloomberglaw.com/privacy-and-data-security/powerschool-sued-over-december-breach-of-student-teacher-data

#databreach #litigation #classaction #EduSec #cybersecurity

@douglevin @funnymonkey @brett

NEW by me in light of all the frustration I'm hearing from people affected by the PowerSchool breach:

PowerSchool Incident: A few resources for teachers, parents, and former students: https://databreaches.net/2025/01/10/powerschool-incident-a-few-resources-for-teachers-parents-and-former-students/

#databreach #edusec #cybersecurity #incident #PowerSchool

@douglevin @funnymonkey @brett @mkeierleber

Some folks may get confused by PowerSchool saying that if they have medical records on students, they may have to notify under HIPAA.

Most student medical/health records are not covered under HIPAA. They are covered under FERPA.

If the district is billing the student's health insurance for services like speech therapy, physical therapy, or occupational therapy, then there's a HIPAA issue. Or if the school has arrangements with an actual clinic that is providing medical/health services to students. But most things like doctor's absence notes or even allergy action plans or school medication orders are not under HIPAA.

If the district has a health plan for employees that it administers, there's also a HIPAA issue there.

#PowerSchool #databreach #incidentresponse #HIPAA #FERPA

@douglevin @funnymonkey

This #powerschool incident is … not great.

50 million students’ data (including SSNs, addresses, medical information) was obtained and held ransom. PowerSchool paid the ransom. Bain Capital owns the company.

https://techcrunch.com/2025/01/08/edtech-giant-powerschool-says-hackers-accessed-personal-data-of-students-and-teachers/

Headline: #PowerSchool hack exposes student, teacher data from K-12 districts

Source: https://www.bleepingcomputer.com/news/security/powerschool-hack-exposes-student-teacher-data-from-k-12-districts/

Lawsuit Accuses #PowerSchool of Selling #StudentData to 3rd Parties - Business Insider

A lawsuit accuses Bain Capital's PowerSchool of trafficking in student data. The #edtech giant says everything it does is legal.
#baincapital #education #school #privacy

https://archive.is/2024.11.04-143718/https://www.businessinsider.com/edtech-powerschool-sells-student-data-lawsuit-2024-10