Cyber Security News

From Tech Crunch (bold mine):

On January 7, at 11:10 p.m. in Dubai, Romy Backus received an email from education technology giant PowerSchool notifying her that the school she works at was one of the victims of a data breach that the company discovered on December 28. PowerSchool said hackers had accessed a cloud system that housed a trove of students’ and teachers’ private information, including Social Security numbers, medical information, grades, and other personal data from schools all over the world. 

Given that PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools — some 18,000 schools and more than 60 million students — in North America, the impact could be “massive,” as one tech worker at an affected school told TechCrunch. Sources at school districts impacted by the incident told TechCrunch that hackers accessed “all” their student and teacher historical data stored in their PowerSchool-provided systems. 

Do note that whoever did this - and they still don't know who - got access to data that goes back decades.

Apparently, PowerSchool did notify districts early on but then, provided no actionable info leaving districts to figure it out.

PowerSchool says it is "working to complete our investigation of the incident and [is] coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available.”

Here's what SPS says at their website:

Seattle Public Schools (SPS) is aware of the cybersecurity incident involving the PowerSchool PowerSource portal. SPS was not impacted. 

Our district’s systems remain secure because administrative account logins and functions that could have been used to steal data require a virtual private network (VPN), providing an additional layer of protection.

SPS takes cybersecurity seriously and continuously works to ensure the safety and integrity of our systems. 

I take this with a grain of salt because that means ALL those other districts around the world didn't figure out to do this? Hmmm


Additionally for SPS, there was another data breach. From SPS:

Carruth Compliance Consulting (Carruth) is the third-party administrator that handles 403(b) retirement savings plan for many school districts, including Seattle Public Schools (SPS). Carruth discovered suspicious activity on their computer systems. An investigation revealed that unauthorized access to Carruth’s network occurred in late December 2024, resulting in the compromise of sensitive employee data for Carruth’s clients, including SPS.

This data breach potentially impacts all employees who have been employed by SPS between 2008 and today. To be on the safe side, we are assuming that all SPS employees between 2008 and now have been impacted by this breach, and we encourage everyone to take the steps listed below.

The compromised information at Carruth may include employees’ name, Social Security number, and financial account information. In some cases, it could also include driver’s license number, and for those who may have applied for a hardship loan it could include W-2 information, medical billing information (but not medical records), and tax filings.

  • We are working with Carruth to understand the full scope of the breach and to ensure they are taking appropriate steps to mitigate the impact on our employees.
  • We are providing this FAQ and will continue to update it with the latest information as it becomes available.

Info on what SPS employees can do to protect themselves is available here.

 

The Federal Trade Commission has finalized tweaks and changes to COPPA - the Children' Online Privacy Protection Act. From their website:

The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina M. Khan. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”

The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.

In a notice that will soon be published in the Federal Register, the FTC made several amendments to the rule, including:

  • Requiring opt-in consent for targeted advertising and other disclosures to third parties: Website and online service operators covered by COPPA will be required to obtain separate verifiable parental consent to disclose children’s personal information to third-party companies related to targeted advertising or other purposes.
  • Limits on data retention: The rule requires covered operators to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected. This provision explicitly states that operators cannot retain the information indefinitely.
  • Increasing Safe Harbor programs’ transparency: The  FTC-approved COPPA Safe Harbor programs, which are self-regulatory programs that implement the protections of the COPPA Rule, will be required to publicly disclose their membership lists and report additional information to the FTC as part of efforts to increase accountability and transparency in the programs.
  • The final rule includes several amended definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers.
After reviewing the nearly 300 comments the agency received on the proposed changes to the COPPA Rule, the Commission decided against adopting some proposed changes, including proposed requirements that were intended to limit the use of push notifications directed to children without parental consent and changes relating to the requirements applicable to educational technology companies operating in a school environment.

Comments

Popular posts from this blog

Tuesday Open Thread

Breaking It Down: Where the District Might Close Schools

Education News Roundup