Database Tables of Student, Teacher Info Stolen From PowerSchool In Cyberattack (theregister.com) 18
An anonymous reader quotes a report from The Register: A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data -- including some Social Security Numbers and medical info -- stolen. PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including the US and Canada, to handle grading, attendance records, and personal information of more than 60 million K-12 students and teachers. On December 28 someone managed to get into its systems and access their contents "using a compromised credential," the California-based biz told its clients in an email seen by Register this week.
[...] "We believe the unauthorized actor extracted two tables within the student information system database," a spokesperson told us. "These tables primarily include contact information with data elements such as name and address information for families and educators. "For a certain subset of the customers, these tables may also include Social Security Number, other personally identifiable information, and limited medical and grade information. "Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations." While the company has tightened security measures and offered identity protection services to affected individuals, cybersecurity firm Cyble suggests the intrusion "may have been more serious and gone on much longer than has been publicly acknowledged so far," reports The Register. The cybersecurity vendor says the intrusion could have occurred as far back as June 16, 2011, with it ending on January 2 of this year.
"Critical systems and applications such as Oracle Netsuite ERP, HR software UltiPro, Zoom, Slack, Jira, GitLab, and sensitive credentials for platforms like Microsoft login, LogMeIn, Windows AD Azure, and BeyondTrust" may have been compromised, too.
[...] "We believe the unauthorized actor extracted two tables within the student information system database," a spokesperson told us. "These tables primarily include contact information with data elements such as name and address information for families and educators. "For a certain subset of the customers, these tables may also include Social Security Number, other personally identifiable information, and limited medical and grade information. "Not all PowerSchool student information system customers were impacted, and we anticipate that only a subset of impacted customers will have notification obligations." While the company has tightened security measures and offered identity protection services to affected individuals, cybersecurity firm Cyble suggests the intrusion "may have been more serious and gone on much longer than has been publicly acknowledged so far," reports The Register. The cybersecurity vendor says the intrusion could have occurred as far back as June 16, 2011, with it ending on January 2 of this year.
"Critical systems and applications such as Oracle Netsuite ERP, HR software UltiPro, Zoom, Slack, Jira, GitLab, and sensitive credentials for platforms like Microsoft login, LogMeIn, Windows AD Azure, and BeyondTrust" may have been compromised, too.
Bobby? (Score:3)
Little Bobby Tables [xkcd.com] strikes again...
Re: (Score:2)
It really does sound like a Bobby Tables issue, in which case someone needs to be prosecuted. There is absolutely no reason to have inline SQL escaping. Ever. If it is SQL injection, it is gross negligence on the developer's part.
lets see does each school level login have full ta (Score:3)
lets see does each school level login have full table access?
and the student information system database has all schools in one DB?
Partitioning of data (Score:2)
Would like to see school districts and state government investigate this breach to find out the full set of technologies used,
what company did the development, who does administration, who does development and what countries had people who could access the PII of minors/people under 18.
Re: (Score:2)
Find a district with enough extra money and maybe you'll get something... but do you really expect something more than a kludge and a default password?
Could be fixed with DBA 101 techniques... (Score:3)
I don't get this at all. There are SO many ways to protect social security numbers sitting in a database:
* You can use views so someone can query the DB and do updates, but not allow access to the ssn field.
* You can use app level encryption on a column level. This is built into MS SQL Server, and can easily be done on the backend.
* You can have the backend API only give reports on certain fields.
* You can have logging in place.
The worst thing is mention that this attack has gone on for years. However, just like almost every other PII attack, some wrists will be slapped, even though for most schools, FERPA compliance would be a big thing.
It makes me wonder what stuff was modified in that database too. I can see a criminal org offering services to change grades of Billy the Bonger so he can get into a good school, or to add fake disciplinary issues to Jill's record just to cause them trouble, perhaps as a way to get CPS involved out of malice. Hacking isn't just slurping data, it is modifying it, and there is likely a ton of money that can be had if a rogue org offered parents a way to mark their kids up and others down, or just dig through private records and hand them to the press as a way of doxing.
Re: (Score:3)
I agree with all of that. What did strike me is why a K-12 school is logging healthcare information in a database in the first place. But nevertheless, this is just proof that even as decades go on, the xkcd meme of Bobby Tables as mentioned above is still a thing. Given the astonishing security holes I've found in commonly used systems like electronic medical records, monitoring systems for commercial fuel tanks, and worse, I don't think any of this is going to be fixed soon. I've lost any hope of that. So
Re:Could be fixed with DBA 101 techniques... (Score:4, Insightful)
Re: Could be fixed with DBA 101 techniques... (Score:2)
Re: (Score:1)
I can't speak for all districts but mine has life-threatening or severe health conditions listed for kids who have them so that teachers will be aware of them. It's not their complete heath history, only the major stuff. I would guess that's the healthcare info mentioned that was stolen in this hack but I cannot be certain.
Probably IEP info as well, for special needs.
Re: (Score:2)
K-12 has historically been a place where things are a low bar, and an all-in-one application that took care of little Sue's grades, illness, attendance, discipline reports and all that is a welcome addition. I'm sure they assumed the vendor would take care of security on the DB backend, so I can't really fault them with this. Maybe FERPA needs to be more rigorously certified, like HIPAA, so stuff like this doesn't happen.
The sad thing is that stuff like this stuff likely will continue. Schools really don
Re: (Score:2)
the higher the grades are the more funding the schools get
SSN? (Score:4, Interesting)
In what world does an online gradebook need the student's Social Security Numbers. We are not supposed to be using those as ID numbers anymore.
Not necessity, but convenience (Score:4, Informative)
1) State record keeping: many states require SSN's as a backup ID for student verification. (State ID #s are only about 99.5% reliable. Working in my database, there's inaccuracies every year that our designated state-records manager has to investigate and correct. [One such example: a student transferred into the district from out-of-state, so a new State ID# was made for them, but we found out a year later they already had an existing State ID# from when they attended kindergarten in-state in a different district a decade prior.] Every district has a state-records manager, and each of them create, maintain, and verify those ID #s when students transfer between schools, but they don't always do a great job at it.)
2) Transcripts for colleges: some colleges request SSN's as part of student data records request. (They shouldn't have to, but it happens frequently.)
3) Health records: health records get shared occasionally with hospitals, and they use SSN's for record verification.
4) Subpoenas: law enforcement may request an SSN as part of a subpoena for legal identification of a student.
Those are the ones I know, but there may be others.
the horror (Score:2)
Re: the horror (Score:2)
It's worse than what's reported here.... (Score:1)
IT pro in K-12 education here...and former PS customer; we used to use Sungard Pentamantion's eSchoolPlus and eFinancePlus that were purchased by PS a while back. Support was and is still awful from what I read from other districts still using the products. Have migrated from both, but still on mailing lists for things as well as on a state IT Ed Tech mailing list. From what's been reported by affected districts, it was a remote access account credential that was compromised and used against a data expor
They didn't and still don't care about security (Score:2)
1. Why doesn't the system require MFA?
2. Why isn't the system geo and IP restricted?
3. Why aren't the databases and all internal information encrypted?
4. Did anyone care that a system, handling sensitive PII, was insecure?
What about schools and boards that used this software? Why did any school or board use software that wasn't:
1. Open Source and Open Audit?
2. Closed up