A 19-year-old college student from Massachusetts, has been sentenced to four years in prison after pleading guilty to hacking PowerSchool, a software platform used by schools across the United States to manage student information. He gained unauthorized access to the system and stole a massive amount of sensitive data belonging to 60 millions students and 9 million teachers; including personal identifiers, medical details, and educational records.
After gaining access, he contacted the company and demanded $2.85 million in Bitcoin (30 bitcoin), threatening to release the stolen data online if his ransom demand was not met.
PowerSchool confirmed that multifactor authentication (MFA) was not enabled on some of its systems at the time of the incident. This admission became a key detail in understanding how he was able to compromise the system so effectively.
Headlines:
"...He accessed databases belonging to the company PowerSchool that had information on more than 60 million students and nine million teachers."
"Sensitive data, including students’ Social Security numbers, special education status, medical conditions and parental restraining orders, were exposed in the hack, which PowerSchool made public in January."
"Last month, Texas sued PowerSchool, saying the company broke state laws relating to deceptive trade practices and identity theft protection, including by misleading consumers into believing its shoddy security practices were 'state-of-the-art.'
PowerSchool has acknowledged the hack was enabled by the fact that it did not use multifactor authentication."
