Doug LevinSchool Districts Unaware BoardDocs Software Published Their Private Files via @mkeierleber https://www.the74million.org/article/school-districts-unaware-boarddocs-software-published-their-private-files/ #edtech #edusec #boarddocs @PogoWasRight @brett @funnymonkey
Proud of what we've accomplished, excited for what the future holds: "K12 Security Information eXchange (K12 SIX) Celebrates Five Years as U.S. K-12 Education Sector’s Cyber Threat Intelligence Community" https://www.businesswire.com/news/home/20250612452803/en/K12-Security-Information-eXchange-K12-SIX-Celebrates-Five-Years-as-U.S.-K-12-Education-Sectors-Cyber-Threat-Intelligence-Community #edtech #edusec
Dissent Doe 
You may know this already, but in case you didn't: Threat actors have leaked some data from 2 more K-12 public school districts this week:
Some personal info on students at Coweta County School System was leaked by Nitrogen as proof of claims. I googled the parent information and found an exact match for name, address, and phone number.
Data from Kalamazoo Public School District was leaked by InterLock. InterLock claimed to have acquired 1,420 GB of data consisting of 724,477 Files and 82,820 Folders. It looks like they leaked it all but I didn't attempt to validate any data.
School District of Philadelphia paid nearly $700,000 to bad actors in cyber fraud scheme
https://www.cbsnews.com/philadelphia/news/school-district-of-philadelphia-cyber-fraud-scheme-scam/ #edtech #edusec @PogoWasRight @brett @funnymonkey
https://www.cbsnews.com/philadelphia/news/school-district-of-philadelphia-cyber-fraud-scheme-scam/ #edtech #edusec @PogoWasRight @brett @funnymonkey
School District of Philadelphia paid nearly $700,000 to bad actors in cyber fraud scheme
The School District of Philadelphia appears to have been hit with a cyber fraud scheme that resulted in nearly $700,000 being diverted.
That's not accurate. The Information's wording and organization may have confused people.
Para 5 in the Information is about Employee 1, a contractor who worked for PowerSchool. The Information does not say Employee 1 was a telco (Victim 1) employee or that their PS credentials were acquired as part of the telco breach. Para 5 is unrelated to Para 4.
The Employee 1 creds used to access PowerSchool were acquired at a separate time and unrelated to the telco breach. I confirmed that with a source with knowledge of the incident.
The Information: https://www.justice.gov/usao-ma/media/1400921/dl
Also of note: the Information makes no mention of the second round of extortion attempts, which may mean that DOJ had no evidence connecting Lane to the second set of extortion demands. The second round of extortion demands purported to be from "ShinyHunters," but whether they really were or not has yet to be publicly confirmed or refuted by law enforcement.
@scottwilson I had the same reaction. I even emailed the Media contact for the Massachusetts USAO to ask why the information included enhanced sentences for use of "special skills" and use of "sophisticated means" under USSG § 3Bl.3 and USSG § 2B 1.1(b )(1 0)(C)), respectively.
What "special skills?"
What "sophisticated means?"
I suspect they won't really answer me, but... I had to ask.
#databreach #PowerSchool #EduSec #cybersecurity
UPDATING: The USAMA responded:
"The only information we can provide is that publicly available in the court filings - which are linked in the press release. Apart from that we have no comment. Thank you. "
Someone find me a good "shocked look" emoji, please.
Massachusetts hacker to plead guilty to PowerSchool data breach:
Related:
DOJ Press release: https://www.justice.gov/usao-ma/pr/worcester-college-student-plead-guilty-cyber-extortions
USA v. Matthew D. Lane - Information: https://www.justice.gov/usao-ma/media/1400921/dl
USA v. Matthew D. Lane - Plea Agreement:
https://www.justice.gov/usao-ma/media/1400926/dl
Don't procrastinate if you were affected:
Citizens whose SSN was compromised in the MOVEit breach at the National Student Clearinghouse (NSC) have until May 26, 2025, to file a claim to be part of the $9.95 million class action settlement.
Eligible individuals are those whose Social Security number was included in the files affected by the MOVEit security incident between May 28 and May 31, 2023. See more details and access the claim form at the official settlement website: https://nscsettlement.com/
Today's reminder why NOT to pay criminals' extortion demands to delete data:
PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway
NOTE: I subsequently edited my post to clarify that the ransom demand to the state (North Carolina) claimed to be from ShinyHunters. I haven't yet seen any ransom notes to individual districts and I do not know how those were signed or claimed. Stay tuned, I guess....
#PowerSchool #hack #EduSec #EdTech #extortion #databreach
@douglevin @funnymonkey @mkeierleber @brett @euroinfosec @jgreig
@lavxnews It's time people stopped claiming that breaches that have occurred over and over again for years are a "wake up call" for anything. Every sector has had "wake up calls" galore, including the education sector. Nobody woke up. Nobody is still waking up. Instead of a headline calling a breach a "wake up call," maybe the headline should be "Yet another avoidable breach will lead to a major lawsuit."