PowerSchool, a program used to store student grades, demographic information and other school-specific information, recently released findings on their data breach that happened over Christmas break.
According to their press release and informational webinars, a third-party support account was hacked (likely through phishing) and those credentials were used to access multiple PowerSchool hosted-servers. Most schools in Iowa that are using PowerSchool as their Student Information System (SIS) were impacted. Globally, millions of staff and student accounts were breached.
PowerSchool worked with a third-party security response team and a third-party cyber broker to investigate the data impacted and to communicate with the hacker about a resolution. The hacker did perform a download of student data and staff data from each school that they accessed. Depending on how each school stores information and what information they require for school enrollment, these data tables may have included social security numbers, health conditions, medical alerts and insurance information. PowerSchool stated that they are confident that the downloaded data has been deleted and other copies do not exist.
If you have students that attend(ed) a school using PowerSchool, they should be providing more information to any families that were impacted by the breach. Each state has different laws about what type of data breach requires a notification; in Iowa you can expect to be notified if your social security number was involved in a data breach.
If you don’t have students in a school using PowerSchool, you should still think about the method of attack and how it can be replicated on technology services you use. In this case, a set of third-party credentials were used to access a support portal. There was no multi-factor authentication (MFA) enforced on this support portal, and the support tunnel was wide-open. Two commonly used security measures have now been implemented: MFA is required to use the support portal, and the support tunnel is opened by request only.
When you evaluate technology services, you should be looking at whether MFA is required. You should also ask how the support portal works. For example, when we work with Verkada to troubleshoot door or camera issues, we have to click a button to give them access to a specific device or dashboard – their support tunnel is not always open. When we troubleshoot anything server-related with Scale Computing, we have to open a support tunnel with them. They do not natively have access to the backend of all Scale Computing products.
This level of caution should also be extended to any third party vendors that need to access your network: solar arrays, HVAC systems, community surveillance cameras or access points, etc. When you allow other devices and services to access your network, care must be taken to limit the amount of data and type of resources they are able to communicate with across your network. If you are engaging new services or evaluating existing ones, please don’t hesitate to include ITS in the conversation so we can make sure these services are configured with a security-first mindset.