Education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform.
In response to the incident, the company engaged with third-party cybersecurity experts, including CrowdStrike, to investigate and mitigate the incident.
Oh good, I’m glad to see they’re forming a fuckup club
PowerSchool is owned by Vista private equity partners.
https://en.m.wikipedia.org/wiki/Vista_Equity_Partners#2010–2019_2
I take it they are jerks?
Dunno. I just thought it was interesting. It was at one time owned by Apple, though that was long ago and it has changed hands many times. It made me wonder if the company would have been more security conscious if they were still owned by a tech firm.
Lol its kind of funny you can just export all that sensitive data to a excel document and they didn’t have rotating passwords
Exporting from almost any database software to Excel/spreadsheet/some other easily audited/human readable format is a pretty standard feature, is pretty useful for troubleshooting, and for ingesting into other tools and systems when there isn’t some proper path through API.
That said, all of that private data should only be accessible in that form by a break-glass account properly secured with pass rotation.
But I know that there’s probably 5 personal accounts at my workplace in our HR/Payroll software that could export the full data from it to Excel. A lot more that could export everything except the payroll info. Unfortunately that was a project that didn’t involve any tech staff until four months before it was supposed to go live, and was configured entirely by a third party vendor “for security” and so we wouldn’t peep other people’s pay. That’s all to say that something like this breach isn’t super surprising to me.
Good info!
