<center>![IMG20221114143343.jpg](https://files.peakd.com/file/peakd-hive/bozz/23tSNDwnF1QaLgPfxyoiC8GiMxWHqyBb7g1QSxcwrT1rSBBYRrD6DC1TF928wSwEyVFAx.jpg)</center>

---------------------

I've mentioned before that I work for a small public school district in the United States.  As you might imagine, information security is one of the biggest things that keeps me up at night.  I remember reading a study quite some time ago about identity theft and the fact that a majority of ID theft happens to kids.  Usually, it's a family member who has exhausted all the obvious resources, so they then turn to their children who have pristine credit.

Imagine gaining access to hundreds if not thousands of fresh and clean identities.  Believe it or not, back in the day some school districts used the students social security number as their unique identifier. Thankfully, most districts have moved away from that as of a couple decades ago, but you can see something like that could be a problem.

I would venture to guess most school districts in the world use some kind of Student Information System (SIS) to store their data.  These pieces of software store things like basic information, grades, attendance, discipline records and all sorts of other information.  It's basically a large database like most other things in the world with a pretty front end.

That actually describes about 80% of the Internet actually:

## A database with a pretty front end

While businesses and hospitals have always been prime targets for nefarious individuals or groups of bad actors, in the last five years schools have raced to the top of the list of high value targets.  There are a couple reasons for this.

First, as I mentioned already, schools have a huge amount of PID (personal identifiable information) on students.  This info is huge for marketing, or other more sinister endeavours.   

Second, despite what a lot of people think, most public schools are severely underfunded.  This means that they often have less or low quality security measures protecting this most sensitive data.

<center>![IMG20221114143301.jpg](https://files.peakd.com/file/peakd-hive/bozz/23tGe1nkdpCdNWnuc2otAhe71oEnp5TknfFuprecyp2iafBhzABCob4XrqU6rAuGs5M9e.jpg)</center>

-----------------------

There is a wide range of companies that offer SIS systems as a service.  Some of them host the data for you, some allow you to run the software on your own servers, it's pretty standard practice.  Among that wide range of vendors, there are a couple who have a larger share of the market than others.

One such vendor goes by the name of Powerschool.  Thankfully, this isn't the company we use, but a data breach in late 2024, led to the extortion of the company by the ransomware group.  The one good thing that came out of this was it prompted most other vendors and end users to reevaluate the security of their given SIS and hopefully it will eliminate this attack vector in the future.

If you are curious about the scope of something like this, [according to the Internet](https://www.techtarget.com/whatis/feature/PowerSchool-data-breach-Explaining-how-it-happened), Powerschool serves over 18,000 school organizations across 90 countries.  Thankfully, we are not one of them!

As scary as this all sounds, believe it or not, it gets even crazier.  So the hack in late 2024 happened because Powerschool used (they don't anymore) a third party company to handle their support calls.  It seems one of the employees at the support company was using easily compromised credentials and this basically gave the attackers a backdoor into many databases.

They then proceeded to pull as much data as they could from every database they could access which included personal info of students and staff.  

A multi-million dollar ransom was demanded from Powerschool to not disclose the data which the company ended up paying.  Wouldn't you know it though, after the ransom was paid and everyone thought this was over, the attacker started reaching out to individual school districts also demanding ransom from them.  Shocker!

Unlike most incidents like this, the Department of Justice actually found the bad actor who happened to be a 19 year old student at a university in Massachusetts.  They don't believe he was working alone, but as of now he made a plea deal and is going to be spending about ten years in prison.

It almost makes you wonder if he had just taken the initial money and run without trying to extort the actual school districts if he would have been able to get away with it.

With most everything moving to Software as a Service (SaaS) these days, we trust that our data is being kept safe by the companies we are paying obscene fees to use their software.

This is just a good example of how something relatively benign and easy to overlook can turn into something much larger.  It's more important than ever to do what you can to keep your data safe.

----------

<center>
### [My Sports Account - @bozz.sports](https://www.peakd.com/@bozz.sports)
</center>

----------

<center>![TEAMUSAhive_footer_bozz.jpg](https://files.peakd.com/file/peakd-hive/bozz/fXpCTKUZ-TEAMUSA-hive_footer_bozz.jpg)</center>

----------

<center>*All pictures/screenshots taken by myself or @mrsbozz unless otherwise sourced*</center>