Tag: incident

  • PowerSchool hacker sentenced. What can schools take away from the incident?

    PowerSchool hacker sentenced. What can schools take away from the incident?

    This audio is auto-generated. Please let us know if you have feedback.

    After pleading guilty to hacking and extorting from ed tech giant PowerSchool, 19-year-old Matthew Lane was sentenced Tuesday to four years in prison and nearly $14.1 million in restitution. 

    The Massachusetts college student was accused of using an employee’s credentials to gain unauthorized access to the cloud-based K-12 software provider’s network in September 2024 and extorting $2.85 million in Bitcoin from the company in December 2024, the U.S. Attorney’s Office for the District of Massachusetts said in May. PowerSchool wasn’t initially identified in legal documents, but was later confirmed to have been the victim.

    Since PowerSchool began notifying districts of a data breach in January 2025, it’s been revealed that sensitive data was leaked for more than 60 million students and 10 million teachers. A court filing said Lane’s access to this student and teacher data included names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information and passwords. 

    Lane allegedly told PowerSchool that if it didn’t hand over the nearly $2.85 million ransom, he would leak the stolen information “worldwide.”  

    The breach shocked district leaders, as it seemed that PowerSchool had been doing all the right things to keep its data secure, said Doug Levin, co-founder and national director of the K12 Security Information eXchange, a national K-12 cybersecurity nonprofit. For instance, he said, PowerSchool had conducted audits and assured that its networks storing school districts’ information were secure before the 2024 data breach.

    The company even publicly touted the importance of K-12 cybersecurity at the White House, he said. 

    PowerSchool is still facing multiple lawsuits that claim the company was negligent during the cyberattack and failed to provide timely notice to impacted users. 

    A PowerSchool spokesperson told K-12 Dive in a Thursday statement that the company “appreciates the efforts of the prosecutors and law enforcement who brought this individual to justice.” Since the data breach, the company said, it has strengthened its systems by adding more security layers and implementing time-based access controls. 

    Can’t put the genie back in the bottle

    Although Lane has been held accountable for the PowerSchool cyberattack and sentenced to prison, “the damage is done” from the leak of the school districts’ sensitive data, Levin said. “There’s no putting the genie back in the bottle.” 

    K-12 cybersecurity remains “an ongoing problem,” and cyberattacks against schools won’t stop just because someone was held accountable for the PowerSchool incident, Levin said. 

    Between July 2023 and December 2024, 82% of K-12 schools said they had experienced a cyber incident, according to a March report from the nonprofit Center for Internet Security. 

    As trust eroded, conversations shifted to ed tech

    The PowerSchool data breach “fundamentally shook” school systems’ trust in big ed tech vendors, Levin said. 

    Before that incident, he said, a lot of the conversations in K-12 cybersecurity focused on how schools could better protect themselves through efforts like strengthening firewalls and implementing multifactor authentication. 

    While those are important strategies, the reality is that schools rely on a large number of vendors that hold their sensitive information. “Schools are only as strong as their weakest link,” Levin said, “and if it turns out the weakest link is a vendor, as we’ve seen in these cases, it causes folks to rethink what it means to be cybersecure.”

    More questioning on districts’ data retention policies 

    In the PowerSchool case, some of the exposed data taken from school districts was decades old. That, Levin said, suggests that keeping data for extended periods of time may present an unacceptable level of risk — especially when there’s no way to reach people whose data may have been leaked.

    As a result, K-12 leaders are talking more about how and whether to minimize the data collected — and how long to hold onto sensitive information. 

    Source link

  • With help of FIRE, University of Washington professor returns to classroom after bread knife incident

    With help of FIRE, University of Washington professor returns to classroom after bread knife incident

    In Soviet-era Romania, police falsely accused engineer Aurel Bulgac and his wife of espionage and imprisoned him for six months. Seeking refuge in America, Bulgac channeled his passion for physics into a professorship at the University of Washington in Seattle, where he taught without incident for more than 30 years. 

    That would change in the fall of 2023 when Bulgac used a hypothetical involving a small bread knife to encourage students to take the subject seriously. Through a surreal disciplinary process he describes as more nightmarish than Cold War repression, UW banned him from campus and hid evidence to get him to confess to a crime he didn’t commit. Fortunately, Bulgac reached out to FIRE’s Faculty Legal Defense Fund, which set him up with legal representation to vindicate his rights and restore him to the classroom.

    Teaching physics on the cutting edge

    In October 2023, during office hours with two students, Bulgac referred to a Japanese yakuza ritual where members cut off a portion of their little finger as an act of atonement or display of loyalty, called “yubitsume”. To drive home his point about taking physics more seriously, Bulgac took out a small bread knife, placed it on his desk, and asked students if they were confident enough in their answers to physics questions to voluntarily cut off their own pinky fingers if they were wrong.

    It was an intense hypothetical, to be sure, but the two students took it as nothing more than colorful hyperbole. They remained in Bulgac’s office, continued in class, and earned good grades.

    One student later told an advisor about the incident, making clear he never felt threatened. Even after the advisor encouraged the student to file a complaint with campus safety, the student declined. The story should have ended here. 

    But administrators were already demanding their pound of flesh. Instead of dismissing the situation as the student wished, UW banned Bulgac from campus, framing the decision as a “form of protection” for Bulgac. The university failed to provide a clear timeline or indication of when Bulgac could return to in-person teaching. And the university never actually told him whether a formal complaint about the situation existed, making it difficult to defend himself. 

    Though Bulgac certainly didn’t expect university administrators to behave like Soviet-era apparatchiks, he knew his rights and fought back with FIRE’s help.

    For nearly a year, Bulgac could not offer in-person office hours, attend scientific seminars, interact with his peers in the department, or work effectively on his Department of Energy research grants. With no end in sight to the university’s investigation, Bulgac was in procedural limbo. So he contacted FIRE’s Faculty Legal Defense Fund, which provides legal representation for public university faculty facing administrative discipline. FLDF immediately put him in touch with FLDF attorney Michael Brown of Seattle’s Gordon Tilden Thomas & Cordell LLP. 

    With Brown on Bulgac’s side, the pair got to work.

    Bread knife of Damocles

    The university never actually told Bulgac whether a complaint about the incident even existed, making it difficult to defend himself. Brown had to file open records requests to get any information from the university about the specific allegations. Finally, in early 2024, UW offered to reinstate Bulgac, but only if he took multiple training courses on communication, attended at least 10 coaching sessions with a university-approved instructor, and apologized to the students. Cutting deeper, UW conceded there was no threat—yet still sought sanctions.

    Brown countered by explaining why Bulgac’s speech was protected by academic freedom. UW itself defines academic freedom as “the freedom to discuss all relevant matters in teaching, to explore all avenues of scholarship, research, and creative expression, and to speak or write without institutional discipline.” He also pointed out the university’s hypocrisy in violating its pledge that “faculty members are free to express ideas and teach as they see fit, based on their mastery of their subjects and their own scholarship.”

    University of Washington

    Seattle, WA

    More Info

    Bulgac’s rhetorical question did not approach the line of being an unprotected, punishable true threat, or a “serious expression” of an intent to commit unlawful violence, and academic freedom gives faculty breathing room to determine how best to approach their own pedagogy.

    In September 2024, the university finally restored Bulgac to the classroom — no apologies or training required.

    “This disciplinary process should have ended with Bulgac’s explanation and the student’s confirmation that he did not feel threatened,” said Brown. “Bulgac’s hypothetical fell well within the zone of academic freedom afforded professors to teach as they see fit, without fear of reprisal from the university administration. As the courts have made clear, that freedom is critical to the proper functioning of universities as places for open and robust sharing of ideas. We were very pleased to work with FIRE to secure a resolution that brought this episode to a close without further damage to Bulgac’s ability to continue to do the important work he has been doing at UW since 1993.”

    Though Bulgac certainly didn’t expect university administrators to behave like Soviet-era apparatchiks, he knew his rights and fought back with FIRE’s help. If you are a faculty member facing punishment for your expression or teaching, contact FIRE

    Source link