Personal Data of the Most Sensitive Kind
Student data is a valuable resource for cyber criminals. Minors have plenty of sensitive personal information, but may lack awareness of the risks it carries. Parents also may not monitor it until they are older. For these reasons, such data is more vulnerable to going unnoticed should it be compromised.
And compromised it has been throughout countless school districts in the US, Canada, and even in Bermuda. Last week, it was announced that PowerSchool, a company that provides their student information systems, had been breached via compromised credentials used to gain unauthorized access to certain customer data via their platform. While PowerSchool shut off the credentials and restricted portal access, they still had to notify school administrators, who then contacted families and staff.
Included in the accessed database tables were school and state IDs, employee ID numbers, and other types of contact information. For some (but not all), Social Security numbers were also exposed. “Due to differences in customer requirements, the information exfiltrated for any given individual varied across our customer base,” says the company.
More and more school districts are coming forward to acknowledge the breach, state by state. By this point, PowerSchool already faces over 20 potential class-action lawsuits for exposing personally identifiable information (PII) and personal health information (PHI). The full scope of the breach is constantly in flux as news updates, but one suit currently alleges nearly 830,000 individuals have been affected.
No less critical than student and teacher data is that belonging to FBI agents. Thanks to last year’s mega breach of AT&T, agent call and text logs were exposed, along with phone numbers and contact information. The agency’s main concern from this incident seems to be protecting its confidential informants, who they have claimed are at most risk for identity exposure. “After criminals stole customer data last year, we worked closely with law enforcement to mitigate impact to government operations,” according to AT&T spokesperson Alex Byers.
Links to Chinese-affiliated hackers known as Salt Typhoon continue to pop up, in connection to security breaches of telecoms like AT&T and Verizon. The question rises whether US telecoms are doing enough for data protection; last week the Federal Communications Commission (FCC) indicated otherwise, that it was time for the agency to modernize its cybersecurity rules for the telecom industry.
While this process develops, however, it remains important for people to monitor their own accounts (and those of their families when need be) and ensure their data is secure from harm.