A CrowdStrike cybersecurity audit of last month's data breach targeting education technology provider PowerSchool has found that the company failed to implement basic security measures, thus allowing a hacker to access millions of student records, NBC News reports.
The hacker reportedly used a single compromised employee password to log into a “Maintenance Access” function, forgoing the use of malware or sophisticated attack methods. The account was not secured by two-factor authentication, a fundamental security standard. PowerSchool also remained unaware of the breach for several days until the hacker contacted the company to demand payment. The breach exposed sensitive student data, including names, birthdays, addresses, and potentially Social Security numbers and disciplinary records. Experts warn that stolen data can be repackaged and resold, increasing the long-term risk of identity theft. While PowerSchool has pledged to enhance cybersecurity, experts note that weak protections are common in education technology. The incident underscores the need for stronger safeguards, particularly in systems handling children's personal information.
