Education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.
Education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.
Lol its kind of funny you can just export all that sensitive data to a excel document and they didn’t have rotating passwords
Exporting from almost any database software to Excel/spreadsheet/some other easily audited/human readable format is a pretty standard feature, is pretty useful for troubleshooting, and for ingesting into other tools and systems when there isn’t some proper path through API.
That said, all of that private data should only be accessible in that form by a break-glass account properly secured with pass rotation.
But I know that there’s probably 5 personal accounts at my workplace in our HR/Payroll software that could export the full data from it to Excel. A lot more that could export everything except the payroll info. Unfortunately that was a project that didn’t involve any tech staff until four months before it was supposed to go live, and was configured entirely by a third party vendor “for security” and so we wouldn’t peep other people’s pay. That’s all to say that something like this breach isn’t super surprising to me.
Good info!