Students, parents, and teachers still smarting from breach exposing their info
- Thread starter JournalBot
- Start date
There was a testy news article asking why my district's superintendent hasn't commented yet on the breach... It's because we didn't use PowerSchool. I guess now we have to comment on every single breach confirming if we used that vendor.
Edit: Our office of coms put out a statement more than a week ago. It's that the superintendent has to comment that is absurd.
Edit: Our office of coms put out a statement more than a week ago. It's that the superintendent has to comment that is absurd.
Last edited:
Upvote
126
(130
/
-4)
The problem is: too many things in society relies on "security by obscurity". We all know that's a bad practice in IT, so why do we rely on it for critical things outside of IT?
Knowing someone's name, address, etc. should be totally useless. Publishing the name and phone number (perhaps even SSN) of every citizen should be uncontroversial.
The reason it's not, is because the control of how this data is used is piss-poor.
The whole notion that "my name and SSN is secret so I am also secure" is bonkers to begin with.
Obviously, this leak is bad. But the fact that the first response from the vendor is "one year of free credit monitoring" should tell you everything you need to know.
Knowing someone's name, address, etc. should be totally useless. Publishing the name and phone number (perhaps even SSN) of every citizen should be uncontroversial.
The reason it's not, is because the control of how this data is used is piss-poor.
The whole notion that "my name and SSN is secret so I am also secure" is bonkers to begin with.
Obviously, this leak is bad. But the fact that the first response from the vendor is "one year of free credit monitoring" should tell you everything you need to know.
Upvote
240
(247
/
-7)
"PowerSchool has said that it has been in contact with the attackers and received assurances they won’t release it publicly."
"Of course we wont release it publicly - there's no money in that."
"Of course we wont release it publicly - there's no money in that."
Upvote
176
(177
/
-1)
Legitimate question, because my kid isn't in school yet. How would a parent know if their school district used this vendor? Do parents interact with it or is it purely school administrative tasks? Given the scale of the breach and the data involved, I'd want to know if I didn't have an obvious way of knowing.
Upvote
102
(103
/
-1)
Why?
Why would this ever be necessary?
Transcripts sure, but why does all the other info about me need to be stored in perpetuity?
No employer is asking me for anything other than a transcript (and even that is exceedingly rare) after almost 20 years...
Upvote
172
(175
/
-3)
Oh this made me chuckle. Not only that they believed the attackers, but they then go and tell the world that they believe them!!
The stupidity of some people beggars belief!
The moment that they can monetize that data, publicly or privately, they are going to!
Upvote
136
(138
/
-2)
I've learned to stop questioning the stupidity of humans in the last few days.
Upvote
144
(149
/
-5)
Because the cost of doing things properly would be prohibitive, people don't see the risk as high enough to have to deal with the extra steps required to be secure and companies don't want the support cost of making people jump though hoops when for the vast majority of people it's just not something they worry about until it's too late.
This would require legislative intervention and that will only follow public pressure which probably won't come.
Upvote
61
(63
/
-2)
Yep. Received the vaguely worded email from the school district superintendent a week or so ago.
Upvote
19
(19
/
0)
I think that should be up to the individual, if I had the option all that data about me would be scrubbed. I don't care about it and I don't care if anyone else in the future does.
Upvote
12
(24
/
-12)
Was it a mistake to move critical services like this to cloud platforms? I know I'm in a bit of a techie bubble so my view on this could be pretty skewed, but I'm genuinely asking.
Self-hosting used to be the norm, including at my public school system. There were people in the district who knew this stuff. My high school library staff introduced us to Firefox, Wikipedia, and the Internet Archive (all relatively new at the time, at least to us). They had Linux running on half the computers in the library. The district website was clear, useful, and updated regularly. Maybe my district was just unusual, but I'd trust them to manage school information systems. Even if the security hygiene isn't perfect, self-hosted solutions are at least decentralized so a breach is limited in scope. I really thought that was the lesson we would have learned from SolarWinds, but I was clearly wrong about that. Self-hosting really was the original vision for the web, after all.
Edit: thanks for the helpful responses. I guess "self-hosted" wasn't the right name for what I was thinking given that self-hosted instances were still vulnerable in this case. What I was really getting at is whether or not separate instances are interconnected (e.g. through the support system). My thinking here is that security breaches will happen even when smart and responsible people are doing their best to prevent that, so it's better to contain them than to assuming you can stop them forever.
Self-hosting used to be the norm, including at my public school system. There were people in the district who knew this stuff. My high school library staff introduced us to Firefox, Wikipedia, and the Internet Archive (all relatively new at the time, at least to us). They had Linux running on half the computers in the library. The district website was clear, useful, and updated regularly. Maybe my district was just unusual, but I'd trust them to manage school information systems. Even if the security hygiene isn't perfect, self-hosted solutions are at least decentralized so a breach is limited in scope. I really thought that was the lesson we would have learned from SolarWinds, but I was clearly wrong about that. Self-hosting really was the original vision for the web, after all.
Edit: thanks for the helpful responses. I guess "self-hosted" wasn't the right name for what I was thinking given that self-hosted instances were still vulnerable in this case. What I was really getting at is whether or not separate instances are interconnected (e.g. through the support system). My thinking here is that security breaches will happen even when smart and responsible people are doing their best to prevent that, so it's better to contain them than to assuming you can stop them forever.
Last edited:
Upvote
130
(133
/
-3)
Dear Current and Former Students
As part of your complete education experience, you can now learn about theft of personal data and dealing with possible Identity theft. We hope you enjoy our efforts to ensure you are prepared for future events.
Your Current or Former School Administration
"The notice went on to say that California law requires public schools to store student data in perpetuity."
Gee, those teachers weren't kidding when they mentioned "Your Permanent Record".
As part of your complete education experience, you can now learn about theft of personal data and dealing with possible Identity theft. We hope you enjoy our efforts to ensure you are prepared for future events.
Your Current or Former School Administration
"The notice went on to say that California law requires public schools to store student data in perpetuity."
Gee, those teachers weren't kidding when they mentioned "Your Permanent Record".
Upvote
101
(101
/
0)
Indeed. We already have evidence of a regulatory regime which (mostly) works, namely the GDPR. As far as I am aware there is no reason for states outside of the EU not to enshrine similar principles save for, essentially, corruption.
Upvote
60
(61
/
-1)
Think of it as a HR system/gradebook. My wife was looking at it last night to check on our kid’s grades and to see if he had any outstanding work.
Upvote
51
(51
/
0)
Isn't this because banks, businesses, realtors - everyone assumes if you have the super secret number you must be you and they will open account, credit, transfer mortgages, etc without any further checks? Business doesnt care - they booked another account - line goes up! Never mind who really opened the account.
Upvote
62
(63
/
-1)
Some good points.
Consider PAAS vs SAAS. As a simple exam then difference between storing photos in a cloud based network drive, and using Google Photos.
PAAS is basically moving "on premises" storage and software onto virtual machines in a cloud providers system. Here security is typically better than Random IT guy can provide, because it's a team of experts working full time. Security scales. Plus it's cheaper and more reliable. The application security is the same as it was before more or less, but the hardware and network security is typically better.
SAAS
This is where instead of using their "own" virtual machines they use a soft ware service, an app. The underlying cloud security is still handled by whatever provider the software vendor chooses, but their application security it up to the software provider. Also vendors can misconfigure network security settings in a million different ways, often just to get their app working. And for a lot of these companies security isn't their highest priority, so we are back to Random IT Guy, except now instead of every school rolling the dice, every school is stuck with whatever the vendor rolled.
Upvote
34
(36
/
-2)
I’m pretty sure I now have enough free credit monitoring for three more lifetimes.
Upvote
116
(117
/
-1)
The general rule is that data is only kept as long as it is useful. Once it is no longer useful it should be deleted or move offline.
Upvote
59
(60
/
-1)
Yes, I have the app on my phone and it also has a web site. The district directs parents to use it for things like reporting absences and receiving grades.
Upvote
28
(28
/
0)
On-premise servers were breached as well. PowerSchool (the company) had a function that could remotely pull data from PowerSchool (the application) servers, regardless of where they were hosted.
Last edited:
Upvote
51
(52
/
-1)
If it was up to Kafka, we wouldn't have several of his works.
I'm sure many a powerful person would love their "youthful indiscretions" wiped from the record.
I'm not saying I'm sure that all data on every person needs to be stored forever, but individual interests need to be balanced at least somewhat by consideration of the rights and benefits of society as a whole.
And honestly, with entities like the American security state already working to store all info on everyone forever, privacy is a fairly compromised concept already, and I personally have a hard time believing that it'd be meaningfully worse for the public to have some sort of publicly-audited access to such data in perpetuity than [gestures vaguely towards Washington D.C. and datacenters in Virginia], yaknow? Or all the info social media companies scrape together, and all the invasively personal inferences they'll surely be soon (or already are) burning GPU cycles to synthesize.
Upvote
6
(17
/
-11)
DaVuVuZeLa
Ars Tribunus Militum
You don't, until there's a breach. this was the first year at my kids' school, and I didn't know they used powerschool until they informed us of the breach.
Upvote
14
(19
/
-5)
Having your HCM in the same space as your educational space seems crazy to me, but I'm also at one of the largest school districts in the country. 6 figure student counts, 5 figure teacher counts. HR and education seem like completely different systems and I don't know how I think a system that purports to manage our complex benefit systems and staffing needs just wouldn't be up to task to handle all the classroom needs from an app as well.
Upvote
5
(6
/
-1)
It's not expensive, as much as it's just not an outcome you get when you employ the lowest wage programmers you can find. It's not hard or even more expensive. It just requires having someone with a clue build your software.
We need real privacy rights and real penalties for these kinds of breaches. They're just going keep happening because there are no real consequences for them.
Upvote
28
(28
/
0)
Don't you guys have some kind of Know Your Customer checks? In the UK - not exactly the poster boy for financial best practices - you have to present government ID and some officially generated proof of address to start a relationship with a financial provider, whether it's for business or personal affairs.
Using your name and SSN is basically reusing usernames and passwords across many critical sites.
Upvote
31
(32
/
-1)
agree. I think there are real benefits in having schools keep historical data to be able to look at trends across decades, and there's certain data you would definitely want schools to indefinitely retain, such as graduation records. Some of the schools in my district are 100+ years old and will most likely still be there when Zuck and Musk are distant memories. It takes an awful long time to see certain results from changes in education or hiring, and having that data available can help folks at schools make real data based decisions, rather than just having some admin person going by their gut.
Upvote
16
(16
/
0)
“Welcome to school district 123! Here’s your PowerSchool registration link!”
You’ll know within a minute as it’s used for EVERYTHING admin.
Our district let us know they didn’t store anything personal in it. Except for said paperwork that has all their registration data so that statement is bullshit.
Upvote
44
(45
/
-1)
The problem is that, in this case at least, many of the schools hit by this were self-hosted. This was a problem with the support accounts from the Powerschool company. They didn't have 2FA enabled (how the hell do you do that in the year of our lord 2025??) and ewre breached. So if you had gotten support from PowerSchool (and most schools had), even if you were self-hosted, that support account would still have access to your instance.
It's a mess, and frankly completely inexcusable on PS's part.
Source - I work at one of the schools impacted. Been cleaning up this mess for weeks.
Upvote
78
(78
/
0)
The problem with the mentality that just "a little bit is fine, not controversial" is that it's superficial and opens the door to stringing a lot of "little bits" into anything you want while claiming it's still fine. The dose makes the poison and it's not like you can control how much data can be put together after such leaks.
Publishing names, addresses, phone numbers is not "controversial" until you realize that you can build a pretty solid profile on someone by aggregating such "uncontroversial" and harmless single pieces of info.
Each of these data points are not confidential (and might even be individually public) in themselves but they provide additional already correlated data to malicious actors. It exposes data to spammers, scammers, stalkers, etc.
For example your face might be on thousands of recordings, and you left your fingerprints on many railings or restaurant glasses, this is not controversial at all. But leaking this data and connecting the dots between disparate data points creates a very powerful individual profile that ripe for abuse and very much controversial.
Upvote
30
(31
/
-1)
Some school SIS (student information systems) are the must vulnerable and underdeveloped software systems imaginable.
District IT departments are staffed by undereducated or underpaid holdouts from the AOL netscape era who wont (or cant afford to) retire.
Many positions start at $15/hr requiring a college degree or equivalent experience. Any smart person graduating from school or otherwise entering the field can make double that almost anywhere else in tech.
These sorts of things are the extension of leaving education out to dry financially.
The push for charter and private schools will increase these events. You will have schools individually buying software packages with no vetting and no centralized control or decision-making, by someone paid less than what's mentioned above. More events but less victims per event... time will tell.
If you're not in the business you would be shocked at how many yahoo startups that districts throw money at with the promise of improvement because they can't afford or aren't allowed enough allocation for tech staff to guide a somewhat reasonable process.
District IT departments are staffed by undereducated or underpaid holdouts from the AOL netscape era who wont (or cant afford to) retire.
Many positions start at $15/hr requiring a college degree or equivalent experience. Any smart person graduating from school or otherwise entering the field can make double that almost anywhere else in tech.
These sorts of things are the extension of leaving education out to dry financially.
The push for charter and private schools will increase these events. You will have schools individually buying software packages with no vetting and no centralized control or decision-making, by someone paid less than what's mentioned above. More events but less victims per event... time will tell.
If you're not in the business you would be shocked at how many yahoo startups that districts throw money at with the promise of improvement because they can't afford or aren't allowed enough allocation for tech staff to guide a somewhat reasonable process.
Upvote
33
(38
/
-5)
At one point the phone book provided the name, phone number and address of everyone. I guess there's no cell phone book though.
The problem is obvious though, how do you prove that you are you? We don't really want to go down the path of biometric data, a centralised government verification database that a user can log into and provide a token from is probably the easiest way but rife with issues still (good luck if you're 80, lose your phone and can't remember a password).
We weren't prepared for the digital age, that was clear. But there's not an obvious, scalable solution as far as I can see. You're right in that the current strategy is a failure, but where do we go to from here?
Upvote
26
(26
/
0)
When I went to school, teachers always threatened us with the idea that something would go on our "permanent record". I would almost be curious now to see some of those records just for the novelty of unpacking parts of my childhood that have been long forgotten, but I suspect there are no such files at this point. Maybe for more recent students with the advent of full computerization of these records making it so trivial to retain, but I was in school mostly during the analog era.
As for it being necessary? Well, just consider the utility for our almighty
"You once upset a teacher who insisted that science fiction always took place in the future by telling them that the opening scroll of Star Wars was literally 'A long time ago...', therefore our new AI interview screening tool believes you are not obedient enough for this job."
Upvote
15
(15
/
0)
Hard for me to say.
I live in Denmark and we have a somewhat solid digital signature system, run by the state. But we're also a small country and we've had central citizen register/database for decades - which has allowed us to tune it, and impose the checks and balances that (largely) prevent fraud and abuse.
There is no easy solution. But I am still surprised that there is no significant change on the horizon. It's an area where time is just standing still.
Upvote
23
(23
/
0)
Tons and tons of self-hosted systems get breached, too: I’ve seen everything from being years or even decades behind on patches, to running Remote Desktop with a weak password so someone could check it from home, to an admin having a bunch of browser extensions on a server, to vendors telling you to leave ports open with weak default or no password, etc. Remember those high-profile Exchange or Citrix vulnerabilities last year where people were posting Shodan reports showing thousands of vulnerable servers ages after the patches were released?
The solution is always liability: people do this because competence costs money, and as long as they can shirk responsibility it’s cheaper not to pay for more skilled people and hope nothing happens. We could shift this with liability to get companies to do better, and heavy fines for using personal data for validation to reduce the black market value (phishing means it’ll never go to zero) or cryptocurrency exchanges not following KYC, but have you seen who’s running the government?
Upvote
34
(34
/
0)