Data breaches are common among large organizations. They are also impacting schools.
PowerSchool, a popular K-12 software provider, announced in early January that it had a widespread data breach that impacted schools across the country, including Utah.
It’s not yet fully known what data was compromised in Utah. But State Board of Education Data Privacy and Security Specialist Jeremy Zabriskie said 33 schools and districts use PowerSchool.
Cache County, Iron County, Salt Lake City and Washington County were affected, as well as the Utah Schools for the Deaf and the Blind. All said the intruders accessed basic information about teachers and demographic data about students, like names, birthdates and addresses. But Social Security numbers were not a part of the data in PowerSchool at those schools. Some districts, including Park City, use the platform, but said they were not impacted.
The Granite School District experienced a data breach last September that involved the information of current and former students and staff. District officials said about 15% of the student records included Social Security numbers.
Utah schools are required to report to the state board any significant breaches of student data within 10 business days. They also have to notify affected individuals.
Doug Levin, co-founder and national director of the K12 Security Information eXchange, said cybersecurity incidents are not only becoming more frequent but they are also more severe. His nonprofit helps schools protect themselves from cybersecurity threats.
“The first thing that many people don’t realize is that schools really rely on technology like they never had before,” Levin said. “Which then exposes them to these potential cybersecurity risks and these risks are coming from a lot of places.”
Sometimes these issues are the result of a mistake made by a staff member, but Levin said there are professional criminal groups, largely based outside of the U.S., that target schools. He said there’s also been an increase in third-party vendors, like PowerSchool, that have a problem which in turn affects schools.
One of the reasons school data is so valuable is that minors tend to have pristine and unmonitored credit records. Levin said malicious actors on the dark web would pay more for the identity information of minors because they can abuse it for a much longer time without anybody raising a red flag about it.
“For these young students, it may not be until they turn 18 — until they try to rent their first apartment, get a car loan, apply for a college loan — that they find out that their credit history has actually been, frankly, demolished, by these threat actors.”
Schools are often the largest employers in their communities, Levin said, and they have lots of employment data.
While it's worse if a student’s Social Security number is exposed, Levin said identity thieves don’t need it to do damage. They can still try to open up bank accounts with names and birth dates, and then use that account as proof of identity to open up additional accounts. Identity thieves can also find other information to supplement what they have or use the data they do have to trick individuals into giving them more information.
After an attack like the PowerSchool incident, Levin said there’s the likelihood of a second round of attacks by people who try to take advantage of people’s sense of urgency.
“One piece of very solid advice that we routinely advise parents to do is to freeze the credit records of their minor children,” he said. “That will prevent some of the worst identity theft that can happen but, again, it’s not a panacea.”
The Granite School District is offering free credit monitoring to affected individuals.
Levin said schools might need more resources to help them stay secure in the future.
“What parents will need to do is speak to their school leaders, they’re going to need to speak to policymakers,” Levin said. “We are going to need schools and their vendors to be held to some baseline of cybersecurity practices so parents can be assured.”
Levin added that in the PowerSchool incident, there was nothing individual schools could have done differently except use a different product. He recommends schools treat this incident as a canary in the coal mine to re-evaluate what access they’ve granted to other vendors and what security assurances they need from new vendors.
In Utah, Zabriskie said they usually see about one or two school data breaches a year where an external attacker gains access. What’s uncommon this year, he said, is how severe the data breaches have been.
“Both of these were much larger than what we've seen before.”