School software provider is the latest target of major hack of personal data

This story was originally published by News from the States.

The sensitive data of millions of American adults and children have been compromised after hackers targeted California-based education software company PowerSchool, the company confirmed this week.

The breach happened at the end of December, and new information confirmed by TechCrunch Thursday morning says that hackers were able to access student addresses, Social Security numbers, grades and medical information on the platform, which schools use for student records, grades, attendance and enrollment.

The names, phone numbers and emails of parents and guardians were also potentially compromised, the company said. Hackers were able to use a stolen credential, or login, to access the internal customer support portal, the company said. PowerSchool currently has 16,000 customers, and is used by more than 50 million students across North America, the company confirmed.

The incident is the latest large-scale data breach in the U.S., as year after year, the number of cybercrimes continues to rise. The FBI’s Internet Crime Complaint Center recorded 880,418 complaints in 2023, a 10% increase from the complaints registered the year prior, and nearly double the number of crimes reported in 2019. The agency estimates potential monetary losses due to cybercrime since 2019 to be $37.4 billion.

PowerSchool’s breach is an example of how cyber criminals profit — the company said it was extorted into paying a sum to prevent hackers from leaking the stolen data, though it did not say how much.

The hackers’ method of using legitimate credentials to access the internal software is much more common than you might think, said Rob Scott, Dallas-based managing partner of technology law firm Scott & Scott LLP. When people think about hacking, they likely picture automated attacks that pass through logins and passwords, he said.

Many breaches come from accounts purchased on the so-called Dark Web, a vast expanse of the internet that is inaccessible to most conventional browsers, Scott said.

“Or employee negligence situations … poor password management, or IT policies around managing and keeping passwords safe and confidential,” he said.

This incident was not an example of a ransomware attack, where hackers use software or malware to encrypt data on a computer, and prevent users from accessing their device. There were 2,835 ransomware crimes in 2023, and healthcare, manufacturing and government facilities were most targeted.

But the motivation for the majority of cyber crimes is financial, Scott said.

“People used to pickpocket, right? People used to rob banks,” Scott said. “Cybersecurity is the modern equivalent of those types of activities.”

As these data breaches become more common, you’re likely right in assuming that your data has been compromised in some way by now, said Chandler, Arizona-based Kiran Chinnagangannagari, cofounder and chief product and technology officer at cybersecurity firm Securin.

The advancements of generative AI systems have made the internet a data hungry place, Chinnagangannagari said, because these systems need tons of information to learn and get better.

While about 20 states have consumer data privacy laws, and all 50 states have data breach notification laws, Chinnagangannagari and Scott said they don’t find legislation is a big help in fighting this growing problem. Many of the laws put responsibility on the company to inform consumers, Scott said, but it places extra burden on a company that was just the victim of a crime.

Chinnagangannagari said laws that encourage proactive safeguarding against unnecessary data collection are more helpful. HIPAA, for example, sets strict rules on how healthcare providers can collect, store and share health data. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, includes purpose limitation and data minimization rules.

While there’s little an individual can do in the wake of these large-scale attacks on a corporation or organization, users can take some actions toward proper “cyber hygiene,” Chinnagangannagari said.

Be protective of where you are putting your information, and learn what you can about terms and conditions of large platforms or apps you sign up for. You should set up a system of not reusing passwords, and utilize multi-factor authentication when you can. There are also services that will seek out your data and warn you when it's been part of a widespread breach, the cybersecurity pro said.

And while it can feel helpless, Chinnagangannagari admits, taking these actions and keeping your eye on your accounts for strange online or financial transactions will prepare you well for our “new reality.”

“It’s not something we were taught growing up,” he said. “It's a very different world. And so we just need to still adapt and live within this ecosystem.”