School officials and network security experts said that the hacker of a company that helps schools to track tens of millions of students seems to be the biggest violation of personal information of American children.
CrowdStrike, a network security company, conducted a temporary network security audit special commissioned. The company obviously failed to take basic preventive measures to protect students' data, and based on the copy and internal discussion records exclusively obtained by the NBC News.
The company's Powerschool is known for its student information system (SIS). The company is one of the most widely used educational technology plans in the United States and also violates the system. SIS software can help school districts track K-12 students and collect information such as their names, schools, birthdays, addresses, and parents or guardians. Many areas have gone further and add information, such as their social insurance number, health issues or discipline records.
Theft of children's data is considered to be particularly shocking because they usually have no agents. Because cyber criminals have repeatedly packed and resold the victim's information, it is difficult to directly draw a direct line from specific data to a given identity. However, according to AARP's research, the identity theft caused Americans to lose approximately $ 43 billion in 2023.
PowerSchool spokesman Beth Keebler said in an email statement: "We recognize the importance of this incident and deeply regret it." Cyber security plan, culture and talent have made a lot of investment-this is a diligent and continuous key areas, the company plans to continue to invest. "
Cyber criminals who steal sensitive data usually threatened that if they did not pay ransom. PowerSchool refused to publish comments on any ransom needs or payment to NBC news. However, the company's chief information officer Mishka McCowan said in a private virtual briefing with customers that the company had paid hackers and received a video of them who seemed to delete the stolen data, and the conference told NBC News.
Cyber security experts warn that cyber criminals can avoid the promise of data not to release data, and it is impossible to verify that hackers have not made a copy of a backup.
In December, a hacker obtained SIS information that seemed to be fully visited by schools supported by customers. Although it is not the overall customer base of PowerSchool, illegal acts seem to reveal the data of tens of millions of American children. Although it is still unclear, the hacker claims that the number is 62 million. The number was first leaked by a technical news website.
As of Thursday, the violation of data did not seem to be public online.
Private evaluation of hackers showed that the company failed to take basic steps to protect students' data. PowerSchool hired CrowdStrike, a network security company to help investigate illegal acts. A temporary report written by CrowDStrike and spread them to some school officials. These officials have not been made public before and were acquired by the NBC News. They did not find that hackers used malware or found the back door of PowerSchool Systems. On the contrary, hackers just got the password of an employee. A grant to visit the "maintenance access" function, so that they can download the personal information of millions of children.
According to the report of CrowDStrike, the company did not even know that it had always been such a huge hacker victim. Until late December, a few days after the helling, the hacker contacted the company to inform and request payment.
CrowDStrike refused to comment based on industry practice.
In a private online chat, including company executives and school representatives, a executive admits that hackers can access and download student records by logging in to a account that has not enabled two factors. A standard for any account, especially the account that can access sensitive information. A screenshot of a participant who required an unknown name and shared chat with the NBC News.
The school's independent security adviser Bill Fitzgerald said that this is an example of poor security, although it is rare in the Edtech industry.
Fitzgerald told NBC News: "If you do not perform multi -factor authentication, it is not the best way." "But this has always happened."
Doug Levin is Doug Levin, the national director of the K12 SIX. The non -profit organization of the industry is committed to helping schools from hackers. They accused LAX LAX network security standards cross the so -called Edtech. The industry, especially since the signing of -19, has become popular. Lavin told NBC news that hackers and lack of guarantee measures are extreme, but they still symbolize the industry.
He said: "For a department that is indispensable for the American lifestyle, K-12 schools and suppliers do not meet the network security standards," he refers to the network security issue that plagues the industry. "This incident is unique in terms of data scope and data sensitivity."
PowerSchool refuses to share details about the students of the hacker attack, because the investigation is underway, but the spokesman said that the company is convinced that the number of students who have been damaged by social insurances will be less than 25 %. 10 million.
The chief information officer of the Education Office of San Diego County, Terry Loftus, there are seven regions there are PowersChool customers. He told NBC news that he was particularly worried that hackers visited some school districts in some school districts in some school districts. Essence
LOFTUS said: "We may be talking about disability and what support for students with special educational students." "This is very sensitive. For threat participants, this is a very high value, and it turns to various evil groups or data brokers For people "
He told NBC News: "For now, unless we can hear separately, this may eventually be the biggest violation of K-12 students."
The company said in the press release that in some cases, the previous students' information was also planned in PowerSchool, and their personal information was stolen.
There is no formal public accounting for the coverage of PowerSchool, but it signed a contract with Alabama, North Carolina and South Carolina, although the use of SIS software may be different in the state. The school warned students and parents about other states that violated POWERSCHOOL including Alaska, Arizona, California, Colorado, Tellawa, Illinois, Indiana, Kansas, Kansasiana马里兰州,马里兰州,马萨诸塞州,马萨诸塞州,Michigan,Michigan,Michigan,明尼苏达州,明尼苏达州,密苏里州,密苏里州,蒙大拿州,Nebraska,Nebraska,Nebraska,Nebraska,Nebraska,Nebraska,Nebraska,Nebraska , Nebraska, NevraSka, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tenas, Texas, Texas State, Utah, Utah, Wisconsin, Wisconsin, and Wyoming.
Georgia Broadcasting Corporation 11alive estimates from the data from the Ministry of Education that the state's existing more than 230,000 students may be affected.
In some cases, the school district warned that hackers stole specific information. The deaf schools and blind people in Utah announced that hackers can not only access the students' names, birthdays and grades, but also to visit their locker numbers and combinations and the balance in lunch accounts.
The public interest network security plan of the University of California Berkeley, Sarah Powazek, provides network security help for the school and other citizen organizations that may not afford it, and said that the school is unfortunately a company like Powerschool to come to Protect PowerSchool to protect PowerSchool's private information.
"The school district is indeed unable to control the product, and whether PowerSchool itself implements the correct security procedure in its organization. The education technology products of these schools are very popular." Powazek told NBC News.
PowerSchool publicly stated that it is necessary to ensure that high network security standards need pain. In 2023, CEO HARDEEEP GULATI joined the White House event of the first lady Jill Biden at the time to promote Edtech network security. The company's website stated that to protect the data of children and teachers, including conventional security audits and "extensive security/network security training for all our employees for all our employees), a certain step is needed.
PowerSchool is another promised signing country created by the non -profit future forum. The forum is expected to take a series of basic steps to protect students' information. The future spokesman for the Privacy Forum told NBC News that PowerSchool, as a signinger, is currently reviewing "potential violations of the company's student privacy commitment commitment".