From a school system email:
PowerSchool has informed us that they have taken action with the hackers to ensure the unauthorized data was deleted without any further replication or dissemination. They do not anticipate any of the data being shared or made public and are working with cybersecurity experts and law enforcement to ensure ongoing data safety. PowerSchool indicated they will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory obligations.
I’m over this, "we were too incompetent and failed at our job, so your personal information is in the hands of a bad entity. Sry, here’s “monitoring”.
No. How about you fucking pay me and suffer consequences instead? If you can’t afford to pay thousands to every affected individual and continue being a business, you don’t get to be a business anymore. Equifax and Change Healthcare are two companies I did not opt into using, but had to, and they both fucked up and lost all of my most sensitive information. People should be in jail and I should have thousands of dollars more in compensation. Instead, I got $7 from Equifax and offered free monitoring from CHC. Make it so it’s debilitating when sensitive information is lost, and maybe places would take security more seriously.
I love your username…
I heard an interview with a (US) lawyer specializing in data breaches. They pointed out the fine print of accepting monitoring often includes releasing the offering company of liability, agreeing to arbitration, things like that
I looked but didn’t see that in writing for my change healthcare situation, but I sure didn’t take the free monitoring because I’m waiting for the class action, and I have assumed that would disqualify me.
It’s just insulting. Sorry we may have fucked up your life and you have no recourse, but here’s a sticker.
I’m upset about this but I’m way more upset to be finding out about it from Lemmy instead of from my school district or PowerSchool directly. My Pennsylvnaia school district hasn’t said anything about this.
yeah my district hasn’t sent anything out at all…
I read about it yesterday morning and my school district sent out an email The same evening. I believe had it not been published they would have stayed quiet.
Just got the email a couple hours ago, our district has been shut down all week though.
All systems can be compromised no matter how secure. It sucks that we have to out our kids privacy at risk just to send them to school.
I wonder what the data entailed other than school name, student name, and grades?
EDIT: Found answer. It included social security numbers.
At this point it’s on the US federal government. The “Social Security” system is entirely lacking in security.
What does this even mean? Did the hackers pinky swear or something?
They paid the ransom.
And they think hackers will honour their word?
They often do. If they didnt, people wouldnt pay the ransom.
I made a similar comment elsewhere. Are the hackers identifying themselves such that they have a reputation that means something? If so, how do we know they are the reputable hackers and not just using the name of the reputable hackers?
In blackmail cases, the scammers typically keep coming back for more and more money.
I had the same thought. What’s stopping a new party from riding the clout of a “reputable” hacker?
There is a whole ecosystem at work where hackers can trade tools, collaborate, announce successes and confirm they are behind a breach.
The ransomware system relies on the majority of actors following through on their part of the bargain or no one would ever pay a ransom.
There are many parallels to how the majority of real world piracy was conducted.
Reputable blackhat hackers often use an online portal where they show proof.
Lesser known ransomware gangs are definitely known to try and double dip though.
That’s why you should always check the reviews of any hacking organization before letting them hack you.
I feel like this is a euphemistic way of saying “we paid the ransom” without actually saying “we paid the ransom.”
It is
But that is hardly a step toward assuring anything was deleted. Do the criminals really have a reputation at stake for keeping their word? Wouldn’t that require we can confirm their identity?
It boils down to their reputation, which is honestly the only thing they truly have.
If they have a reputation of leaking date afterwards nobody is going to pay in the future.
So afaik, they don’t resell or give it away. They also send “proof of deletion”, but how fool proof that is is another question entirely.
In the FAQ, PowerSchool confirmed that the security incident was not ransomware in nature, but noted that it worked with CyberSteward, a Canadian organization that offers cyber-extortion incident response services, to negotiate with the threat actors responsible for the breach.
This confirms previous reporting that PowerSchool was the target of an extortion-only attack and that it paid a financial sum to prevent the hackers from publishing the stolen data.
