Education software company PowerSchool has become the latest major US company to be targeted by hackers, who have gained access to the personal data of millions of parents and students. (Photo illustration bysexan Mongkhonkhamsao/Getty Images)
The sensitive data of millions of American adults and children was compromised after hackers targeted California-based education software company PowerSchool, the company confirmed this week.
The breach happened in late December, and new information confirmed Thursday morning by TechCrunch says hackers accessed students’ addresses, Social Security numbers, grades and medical information on the platform, which schools use for student records, grades, attendance and enrollment.
The names, phone numbers and email addresses of parents and guardians may also have been compromised, the company said. Hackers were able to use a stolen credentials or login to access the internal customer support portal, the company said. PowerSchool currently has 16,000 customers and is used by more than 50 million students in North America, the company confirmed.
The incident is the latest large-scale data breach in the US as cybercrime continues to rise year after year. The FBI’s Internet Crime Complaint Center recorded 880,418 complaints in 2023, a 10% increase over complaints recorded the year before, and nearly double the number of crimes reported in 2019. The agency estimates the potential financial losses due to cybercrime since 2019 at $37.4 billion. .
The PowerSchool breach is an example of how cybercriminals are taking advantage. The company said it was extorted into paying an amount to prevent hackers from leaking the stolen data, but did not say how much.
Hackers’ method of using legitimate credentials to gain access to internal software is much more common than you might think, says Rob Scott, Dallas-based managing partner of technology law firm Scott & Scott LLP. When people think of hacking, they probably imagine automated attacks that pass through logins and passwords, he said.
Many breaches come from accounts purchased on the so-called Dark Web, a vast part of the Internet that is inaccessible to most conventional browsers, Scott said.
“Or situations of employee negligence… poor password management, or IT policies around managing and keeping passwords secure and confidential,” he said.
This incident was not an example of a ransomware attack, in which hackers use software or malware to encrypt data on a computer and prevent users from accessing their device. In 2023, there were 2,835 ransomware crimes, with healthcare, manufacturing and government facilities being the most targeted.
But the motivation for the majority of cybercrime is financial, Scott said.
‘People used to pickpocket, right? People used to rob banks,” Scott said. “Cybersecurity is the modern equivalent of these types of activities.”
As these data breaches become more common, you’re probably right to assume that your data has now been compromised in some way, says Chandler, Arizona-based Kiran Chinnagangannagari, co-founder and head of product and technology at cybersecurity company Securin.
The advancement of generative AI systems has made the internet a data-hungry place, Chinnagangannagari said, because these systems need a lot of information to learn and improve.
While about 20 states have consumer data privacy laws, and all 50 states have data breach notification laws, Chinnagangannagari and Scott say they don’t think legislation is much of a help in combating this growing problem. Many of the laws put the onus on the company to inform consumers, Scott said, but it places an additional burden on a company that has merely been the victim of a crime.
Chinnagangannagari said laws that encourage proactive protection against unnecessary data collection are more useful. For example, HIPAA sets strict rules about how healthcare providers can collect, store, and share health data. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, includes purpose limitation and data minimization rules.
While there is little an individual can do in the wake of these large-scale attacks on a company or organization, users can take some actions toward good “cyber hygiene,” Chinnagangannagari said.
Be careful where you put your information and learn what you can about the terms and conditions of any major platforms or apps you sign up for. You should set up a system where passwords are not reused and use multi-factor authentication where possible. There are also services that will look up your data and alert you if it is part of a widespread breach, the cybersecurity professional said.
And while it may feel helpless, Chinnagangannagari admits, taking these actions and keeping an eye on your accounts for strange online or financial transactions will prepare you well for our “new reality.”
“It’s not something we were taught growing up,” he said. “It’s a completely different world. And so we still have to adapt and live within this ecosystem.”
/cdn.vox-cdn.com/uploads/chorus_asset/file/25408591/STK051_TIKTOKBAN2_CVirginia_B.jpg)
