This story has far-reaching implications that could affect every walk of life: the personal information of millions of schoolchildren has been put at risk after the successful hacking of PowerSchool, the developer of a widely used education tech program. The company’s Student Information System (SIS) is a digital platform that educational systems utilize to manage student data regarding everything from grades to attendance and financial records. Most importantly in this case, SIS also collects names, birthdays, addresses, the names of parents and even Social Security numbers.
As we have observed in past issues, the protection of minors’ data is a critical issue for legislatures and cybersecurity experts. This is not only because minors have no agency over the use of their data but also because they are not truly in a position to opt-into or opt-out-of user agreements. With the hacker alleging that he gained the information of more than 60 million students, school districts have been forced to notify parents that additional information such as mental health status and learning disabilities has also been compromised. And although PowerSchool is continuing their operations with a “business-as-usual” approach, many districts are unhappy with how the company has responded to the breach.
This is due, in part, to the fact that private assessments of the attack discovered that even the most basic cybersecurity steps were ignored by PowerSchool: without the enabling of two-factor authentication, the hacker was able to gain access to students’ data after he acquired a single employee’s password. That is to say, this attack was the result of human negligence and oversight as opposed to a sophisticated hacking operation. To make matters worse, the company was completely unaware of the hack until December when the hacker demanded a ransom. According to reports, the company was forced to pay this ransom, and in turn received a video purporting to show the hacker deleting the data he had stolen. With news of multiple class-action lawsuits being filed against PowerSchool, it is clear this story is not going anyway any time soon. But supporters of privacy protections everywhere will be watching this outcome with great interest, in the hopes that it will inspire other companies to take the unprecedented step of… turning on two-factor authentication.