CVE-2026-2247: HIGH-severity SQL injection in Clickedu SaaS (all versions). Attackers can exploit 'id_alu' in report card URLs to access sensitive data. Persistent session tokens increase risk. Prioritize mitigation! https://radar.offseq.com/threat/cve-2026-2247-cwe-89-improper-neutralization-of-sp-b8f5f03e #OffSeq #SQLi #InfoSec #EduSec
#EduSec
@funnymonkey @douglevin @mkeierleber
You might want to compare what the #FTC now requires of them to what Illuminate's settlement with three state attorneys general requires:
#enforcement #edtech #databreach #edusec #cybersecurity #incidentresponse
The Case for Making EdTech Companies Liable Under FERPA:
https://www.techpolicy.press/the-case-for-making-edtech-companies-liable-under-ferpa/
"Manassas City Public Schools (MCPS) are closed on Monday due to a cybersecurity incident that has led to connectivity disruptions and phone outages across the school system, officials said.
Dr. Kevin Newman, MCPS superintendent, said in a post on Facebook on Sunday that all MCPS schools will be closed on Monday, November 10, as a precautionary measure to ensure the safety and security of students, teachers, and staff. The school campuses are not at risk, he said."
Breaking Up With Edtech Is Hard to Do:
https://www.edsurge.com/news/2025-11-07-breaking-up-with-edtech-is-hard-to-do
Entities rush to declare that data hasn't been stolen/they haven't been hacked. They often wind up looking like liars or just more incompetent when the hacker starts dumping or leaking data as proof.
This week's example: U. of Pennsylvania, which quickly declared they hadn't been hacked and it was just a vulgar email sent out. The hacker seems to have proved otherwise.
Two years after an audit highlighted significant concerns, the North Salem Central School District in New York is still leaving sensitive student data at risk.
When I read audits and follow-ups like these, I wonder whether the parents of the students in the district are aware of these reports at all. Maybe local #PTAs should be forwarding copies of these reports to parents and asking the district why more hasn't been done to implement recommendations made years ago.
And yes, some of you will remind me to have empathy for school districts and understaffed IT personnel. But if we don't want to see any Kido Schools breach here, we'd better start demanding more security and tolerating fewer explanations for inadequate security of student data.
Earlier today, Matthew Lane, the 19-year old from Massachusetts who confessed to hacking a telecom and #PowerSchool, was sentenced to 4 years in prison, 3 years supervised release after that, $14M in restitution, and forfeiture of $160k.
#EduSec #cybersecurity #ShinyHunters #G0retrance #databreach
NEW by me:
In a few days, the PowerSchool hacker will learn his sentence, and his life as he has known it will end.
Was he a kid who could have been a "white hat" with just a little encouragement? Are we missing opportunities with some kids?
NEW: PowerSchool hit by Salesloft Drift campaign, but hackers claim that there is no risk of harm or ransom
#PowerSchool #EduSec #EdTech #Salesloft #Salesforce #cybersecurity #databreach
I did not mention this publicly sooner because Kido schools in the U.K. was under great pressure due to the Radiant group attack involving children’s personal information and photos.
But now that many people are feeling some relief that the hackers have supposedly deleted all the data and won’t be calling parents again, I can reveal that on Monday, I emailed Kido to alert them to a data leak that a researcher had discovered and reported to me that morning.
He had discovered the leak because he decided to research Kido after reading about the horrific breach they were dealing with.
Anyway, this leak didn't involve student/child data, but there were almost 700 resumes/cvs of employees or job applicants that were exposed. Some of them were for Amelio, which is a Kido school in India. Others were for the U.K. domain.
Kido got back to me the next day to thank me and confirm that the data had been locked down.
I have no idea if they will have to make notifications. I guess it will depend on what the access logs reveal, but this leak was also noted on grayhatwarfare, so it's possible a number of people may have accessed data.
It never rains, but it pours, EduSec edition.
@douglevin @funnymonkey @brett
OK, so the bad news is that it looks like it's true. I got access to the data tranche and there is a LOT of student PII in there in terms of PDF files/letters and psych evals, and I spotted a .csv file with disabilities records on 2k students from 2017 with their IEP disability classification, name, services to be given, etc. I haven't yet started googling names, so I'm saying the data looks real but I haven't actually tried to confirm that yet.
A lot of the documents such as attendance and truancy letters for named students were OLD -- like back to 2003, etc.
I have a feeling that these records -- assuming, for now, that they are real -- do not necessarily trigger notification requirements under the D.C. notification law, but I have emailed DC to ask for clarification on the application of their law to student records.
I have not really spotted employee personnel data of note, but have only skimmed the tranche with a focus on student into.
If you HMU on Signal, I can give you the entire filelist for the tranche.
Uvalde CISD in Texas will be closed for a few days while the district investigates a ransomware attack.
They have not disclosed whether there was any ransom note, and if so, who signed it.
KSAT reports, "The ransomware detected by the district is affecting several essential online systems, including phones, thermostats, camera monitoring and visitor management systems, among critical services, the district said." https://www.ksat.com/news/local/2025/09/13/uvalde-cisd-to-close-most-of-next-week-due-to-ransomware-issue/?ref=%2Fnews%2Fnational%2F2021%2F05%2F18%2Fdurst-jurors-to-get-refresher-in-deaths-tied-to-millionaire%2F
It is not clear whether the attackers know Uvalde's tragic history of one of the worst school shootings in this country's history, where 19 children and 2 teachers were murdered and more than a dozen others were injured.
Do attackers really think that a district that has gone through so much is going to pay a ransom? Or did they just not know?
If they didn't know, I hope they find their souls and just give the district a decryptor and help.
If they knew and didn't/don't care, may they rot in Hell.
Texas Attorney General Ken Paxton has filed a lawsuit against PowerSchool over its massive 2024 data breach. The lawsuit claims that PowerSchool violated both the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act by misleading customers about its security practices and failing to take reasonable measures to protect sensitive information entrusted by Texas families and school districts.
Lawsuit: https://www.texasattorneygeneral.gov/sites/default/files/images/press/PowerSchool%20Petition.pdf
h/t, Click2Houston
The Muscogee County School District attack by Safepay in December 2024 has now been reported to the Maine Attorney General's Office as affecting 34,056 people.
It is hard to be sure from the notification letter because it uses variables, but the sample letter seems targeted to adults/employees rather than students or parents (unless there's a second letter that we are not seeing).
I went to SafePay's site and it looks like they leaked the data on August 7. So far, there have been only a few downloads or attempted downloads of the compressed archive, but the download failed when I tried it so I'm not sure how big it is or what's in it at this point.
Personal data of Manassas Park City Schools students, staff compromised after network hack
So let's attack school districts during summer vacation when staff may be away, right?
I've been swamped with other work and haven't had time to look into any of the following claimed or reported breaches, but here are some names of districts I've seen mentioned in the past few days:
Fort Smith Schools -- Qilin
Radford City Schools -- INC ransom
Franklin Pierce -- Medusa
Winner School District 59-2 -- Beast
Traverse City Area Public Schools -- Medusa
Ridgefield Schools -- ransomware attack reported in news
So they wouldn't have committed without that "engagement?"
#PowerSchool #EduSec #databreach
"We take your privacy and security very seriously... when we have to," admitted no entity, ever.
The St. Lawrence Lewis Board of Cooperative Educational Services ("BOCES") in New York has reported a breach that impacted 10,993 people. The types of information involved included: SSN, name, address, DOB, tax identification number, medical information, and financial account information.
The "cybersecurity incident" was discovered on August 12, 2024 and just reported this week to the Maine Attorney General's Office, although letters were sent out to those affected in June.
The Clearbrook-Gonvick School District in Minnesota has disclosed a breach that occurred in October 2024. The types of information involved included names, Social Security numbers, driver's license or state ID numbers, individual taxpayer identification numbers, financial account information, and student identification numbers.
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst