Dissent Doe 
NYS school data incidents rose 72% in 2025, with 44 reported on Long Island:
https://www.newsday.com/long-island/education/school-data-incidents-nys-long-island-trw4ysk4
Includes comments by @douglevin
Several #EdTech folks asked me to review the #InfiniteCampus data dump by #ShinyHunters to see if any sensitive student data was leaked as part of it.
I wrote up what I found here: https://databreaches.net/2026/03/28/thankfully-the-infinite-campus-incident-did-not-involve-a-lot-of-non-directory-student-information/
One takeaway for school districts is to remind employees NOT to include student PII or PHI in support tickets to vendors. I've been told it is sometimes required or necessary, but then why weren't tickets like the ones I saw stored with encryption?
#databreach #EduSec #cybersecurity
@mkeierleber @douglevin @funnymonkey
OffSequenceCVE-2026-2247: HIGH-severity SQL injection in Clickedu SaaS (all versions). Attackers can exploit 'id_alu' in report card URLs to access sensitive data. Persistent session tokens increase risk. Prioritize mitigation! https://radar.offseq.com/threat/cve-2026-2247-cwe-89-improper-neutralization-of-sp-b8f5f03e #OffSeq #SQLi #InfoSec #EduSec
@funnymonkey @douglevin @mkeierleber
You might want to compare what the #FTC now requires of them to what Illuminate's settlement with three state attorneys general requires:
#enforcement #edtech #databreach #edusec #cybersecurity #incidentresponse
The Case for Making EdTech Companies Liable Under FERPA:
https://www.techpolicy.press/the-case-for-making-edtech-companies-liable-under-ferpa/
"Manassas City Public Schools (MCPS) are closed on Monday due to a cybersecurity incident that has led to connectivity disruptions and phone outages across the school system, officials said.
Dr. Kevin Newman, MCPS superintendent, said in a post on Facebook on Sunday that all MCPS schools will be closed on Monday, November 10, as a precautionary measure to ensure the safety and security of students, teachers, and staff. The school campuses are not at risk, he said."
Breaking Up With Edtech Is Hard to Do:
https://www.edsurge.com/news/2025-11-07-breaking-up-with-edtech-is-hard-to-do
Entities rush to declare that data hasn't been stolen/they haven't been hacked. They often wind up looking like liars or just more incompetent when the hacker starts dumping or leaking data as proof.
This week's example: U. of Pennsylvania, which quickly declared they hadn't been hacked and it was just a vulgar email sent out. The hacker seems to have proved otherwise.
Penn hacker claims to have stolen 1.2 million donor records in data breach
A hacker has taken responsibility for last week's University of Pennsylvania "We got hacked" email incident, saying it was a far more extensive breach that exposed data on 1.2 million donors and internal documents.
Two years after an audit highlighted significant concerns, the North Salem Central School District in New York is still leaving sensitive student data at risk.
When I read audits and follow-ups like these, I wonder whether the parents of the students in the district are aware of these reports at all. Maybe local #PTAs should be forwarding copies of these reports to parents and asking the district why more hasn't been done to implement recommendations made years ago.
And yes, some of you will remind me to have empathy for school districts and understaffed IT personnel. But if we don't want to see any Kido Schools breach here, we'd better start demanding more security and tolerating fewer explanations for inadequate security of student data.
Earlier today, Matthew Lane, the 19-year old from Massachusetts who confessed to hacking a telecom and #PowerSchool, was sentenced to 4 years in prison, 3 years supervised release after that, $14M in restitution, and forfeiture of $160k.
#EduSec #cybersecurity #ShinyHunters #G0retrance #databreach