Database Tables of Student, Teacher Info Stolen From PowerSchool In Cyberattack (theregister.com) 12
An anonymous reader quotes a report from The Register: A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data -- including some Social Security Numbers and medical info -- stolen. PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including the US and Canada, to handle grading, attendance records, and personal information of more than 60 million K-12 students and teachers. On December 28 someone managed to get into its systems and access their contents "using a compromised credential," the California-based biz told its clients in an email seen by Register this week.
[...] "We believe the unauthorized actor extracted two tables within the student information system database," a spokesperson told us. "These tables primarily include contact information with data elements such as name and address information for families and educators. "For a certain subset of the customers, these tables may also include Social Security Number, other personally identifiable information, and limited medical and grade information. "Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations." While the company has tightened security measures and offered identity protection services to affected individuals, cybersecurity firm Cyble suggests the intrusion "may have been more serious and gone on much longer than has been publicly acknowledged so far," reports The Register. The cybersecurity vendor says the intrusion could have occurred as far back as June 16, 2011, with it ending on January 2 of this year.
"Critical systems and applications such as Oracle Netsuite ERP, HR software UltiPro, Zoom, Slack, Jira, GitLab, and sensitive credentials for platforms like Microsoft login, LogMeIn, Windows AD Azure, and BeyondTrust" may have been compromised, too.
[...] "We believe the unauthorized actor extracted two tables within the student information system database," a spokesperson told us. "These tables primarily include contact information with data elements such as name and address information for families and educators. "For a certain subset of the customers, these tables may also include Social Security Number, other personally identifiable information, and limited medical and grade information. "Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations." While the company has tightened security measures and offered identity protection services to affected individuals, cybersecurity firm Cyble suggests the intrusion "may have been more serious and gone on much longer than has been publicly acknowledged so far," reports The Register. The cybersecurity vendor says the intrusion could have occurred as far back as June 16, 2011, with it ending on January 2 of this year.
"Critical systems and applications such as Oracle Netsuite ERP, HR software UltiPro, Zoom, Slack, Jira, GitLab, and sensitive credentials for platforms like Microsoft login, LogMeIn, Windows AD Azure, and BeyondTrust" may have been compromised, too.
Bobby? (Score:2)
Little Bobby Tables [xkcd.com] strikes again...
Re: (Score:2)
It really does sound like a Bobby Tables issue, in which case someone needs to be prosecuted. There is absolutely no reason to have inline SQL escaping. Ever. If it is SQL injection, it is gross negligence on the developer's part.
lets see does each school level login have full ta (Score:2)
lets see does each school level login have full table access?
and the student information system database has all schools in one DB?
Partitioning of data (Score:2)
Would like to see school districts and state government investigate this breach to find out the full set of technologies used,
what company did the development, who does administration, who does development and what countries had people who could access the PII of minors/people under 18.
Re: (Score:2)
Find a district with enough extra money and maybe you'll get something... but do you really expect something more than a kludge and a default password?
Could be fixed with DBA 101 techniques... (Score:3)
I don't get this at all. There are SO many ways to protect social security numbers sitting in a database:
* You can use views so someone can query the DB and do updates, but not allow access to the ssn field.
* You can use app level encryption on a column level. This is built into MS SQL Server, and can easily be done on the backend.
* You can have the backend API only give reports on certain fields.
* You can have logging in place.
The worst thing is mention that this attack has gone on for years. However, just like almost every other PII attack, some wrists will be slapped, even though for most schools, FERPA compliance would be a big thing.
It makes me wonder what stuff was modified in that database too. I can see a criminal org offering services to change grades of Billy the Bonger so he can get into a good school, or to add fake disciplinary issues to Jill's record just to cause them trouble, perhaps as a way to get CPS involved out of malice. Hacking isn't just slurping data, it is modifying it, and there is likely a ton of money that can be had if a rogue org offered parents a way to mark their kids up and others down, or just dig through private records and hand them to the press as a way of doxing.
Re: (Score:2)
I agree with all of that. What did strike me is why a K-12 school is logging healthcare information in a database in the first place. But nevertheless, this is just proof that even as decades go on, the xkcd meme of Bobby Tables as mentioned above is still a thing. Given the astonishing security holes I've found in commonly used systems like electronic medical records, monitoring systems for commercial fuel tanks, and worse, I don't think any of this is going to be fixed soon. I've lost any hope of that. So
Re: (Score:3)
Re: Could be fixed with DBA 101 techniques... (Score:2)
Re: (Score:2)
K-12 has historically been a place where things are a low bar, and an all-in-one application that took care of little Sue's grades, illness, attendance, discipline reports and all that is a welcome addition. I'm sure they assumed the vendor would take care of security on the DB backend, so I can't really fault them with this. Maybe FERPA needs to be more rigorously certified, like HIPAA, so stuff like this doesn't happen.
The sad thing is that stuff like this stuff likely will continue. Schools really don
Re: (Score:2)
the higher the grades are the more funding the schools get
SSN? (Score:4, Interesting)
In what world does an online gradebook need the student's Social Security Numbers. We are not supposed to be using those as ID numbers anymore.