California-based education software company PowerSchool was targeted by hackers and the sensitive data of millions of American adults and children was compromised, the company admitted last week.
The breach occurred at the end of December, and new information has been confirmed by TechCrunch Thursday morning’s announcement said hackers were able to access students’ addresses, Social Security numbers, grades and medical information on the platform the school uses to register students, grades, attendance and enrollment.
The names, phone numbers and emails of parents and guardians may also have been compromised, the company said. The company said the hackers were able to access its internal customer support portal using the stolen credentials (logins). PowerSchool has 16,000 customers and the company credits more than 50 million students across North America.
Need to contact us?
Have a news tip?
The number of cybercrimes continues to rise year after year, and this incident is the latest major data breach in the United States. FBI Internet Crime Complaint Center 880,418 complaints recorded in 2023This is a 10% increase over complaints registered the previous year and almost double the number of crimes reported in 2019. Government agencies estimate the potential financial losses from cybercrime to be $37.4 billion since 2019.
The PowerSchool breach is an example of how cybercriminals profit. The company said it was forced to pay money to prevent hackers from leaking stolen data, but did not specify the amount.
Technology experts say cybercrime is largely motivated by money
Hackers using legitimate credentials to access internal software are far more common than you might think, says Rob Scott, Dallas-based managing partner at technology law firm Scott & Scott LLP. he said. When people think of hacking, they are likely to imagine automated attacks that get past logins and passwords, he said.
Scott said many of the breaches originate from accounts purchased on the so-called dark web, a vast expanse of the Internet that is inaccessible to most traditional browsers.
“Or circumstances of employee negligence…poor password management, or IT policies regarding the management and maintenance of password security and confidentiality,” he said.
This incident was not an example of a ransomware attack, where hackers use software or malware to encrypt data on a computer and prevent users from accessing their devices. There were 2,835 ransomware crimes in 2023, with healthcare, manufacturing, and government facilities being the most targeted.
However, the majority of cybercrime is motivated by financial reasons, Scott said.
“People used to pickpocket, right? People used to rob banks,” Scott said. “Cybersecurity is the modern equivalent of these types of activities.”
Kiran Chinnagangannagari, co-founder and chief product and technology officer at Securin, a cybersecurity company based in Chandler, Arizona, says that as these data breaches become more common, data is now accessible in some way. He said that it is probably correct to think that it is being infringed upon.
Chinnagangannagari said advances in generative AI systems have made the internet a data-hungry place. Because these systems require large amounts of information to learn and improve.
Although approximately 20 states have enacted consumer data privacy laws and all 50 states have enacted data breach notification laws, Chinnagangannagari and Scott believe the law will help combat this growing problem. He said he didn’t think it would be of much help. Scott said many laws place the onus on businesses to inform consumers, an extra burden for businesses that are simply victims of crime.
Chinnagangannagari said laws that encourage active protection against unnecessary data collection would be more helpful. For example, HIPAA sets strict rules for how health care providers can collect, store, and share health data. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, includes purpose limitations and data minimization rules.
While there is little an individual can do in the face of such a large-scale attack on a business or organization, users can take some steps toward good “cyber hygiene,” Chinnagangannagari said.
Be careful where you put your information, and learn all you can about the terms and conditions of the big platforms and apps you sign up to. You should set up a system that does not reuse passwords and utilize multi-factor authentication when possible. Some services seek out data and alert you if it’s part of a broader breach, cybersecurity experts said.
And while it may feel powerless, taking these actions and keeping an eye on your accounts for strange online and financial transactions will ensure you’re well prepared for our “new reality.” Chinnagangannagari admits that it is possible.
“It’s not something we were taught growing up,” he said. “It’s a completely different world, so we have to adapt and live within this ecosystem.”
You make our work possible.
