K-12 Student Data - Why would anyone steal that?

Today, I was talking to a few people about the PowerSchool hack and the question was posed, “Why would anyone want student data?”. I was taken aback. In this post, I want to explore that question and give reasons why a threat actor would want this data with some hypothetical scenarios.

Medical Emergency

As a parent, you would do anything to make sure your kid is safe and sound. Schools keep allergy records and action plans attached to their students. A threat actor with that information could easily pose as the school and call the listed emergency contact. The conversation might go something like this

Hello, Mrs Doe. Your daughter Jane Doe is currently in the hospital. She had an allergic reaction to peanuts. She is OK and currently stable. The hospital just needs your insurance information and credit card to just keep on file.

Oh my god, which hospital is she at?

She is fine and at Really Far Hospital. You know the address? They just need the insurance information and a credit card.

I’ll get that for you. One second.

Phone numbers can be spoofed. School staff names are usually publicly listed. Do you know the voices of all the staff at the school?

Early Pickup

It is a sad fact that child custoday can be messy or that certain parents have to be worried about kidnapping attempts. Schools will have a list of people who are authorized to pick up a child in an emergency and may even have special codewords to verify individuals. That information has to be stored somewhere. A threat actor with that information could call the school and state that they need to pick the child up early. They’ll have all the information to pose and authenticate as an authorized individual.

Gifted Program Fees

Schools have gifted programs and parents can be very competitive about getting their children in them. The screening results and lists of gifted students have to be recorded and stored. A threat actor could use those lists to social engineer a mass email to the parents of those students.

Dear Mr/Mrs Doe,

The Gifted Program is going to be having a surprise field trip for all the Gifted Students. Please do not let Jane Doe know about it as seats are limited. Please sign the waiver and pay the field trip fee at the following link: https://spoofpaymentlink.com as soon as possible to ensure your child can partiipate.

Pre-College Program

College guidance counselors will often keep records of what colleges students apply to, acceptances, and rejections. This is a very stressful time for students and parents. Again, a threat actor could target a student who applied to a very prestigious college and send an email about attending a pre-college program to better their odds of acceptance.

Dear Jane Doe,

We loved your application! There were a few weak spots in your class grades. We offer a pre-college program that would ensure you acceptance. If you are interested you can find more information at: https://fakewebsite.com. On the website, you’ll also find a registration page where you can register yourself and pay the fee. You’ll need your unique code XYZ123 when you register.

We look forward to seeing you on campus!

Vulnerable/Impressionable Students

I admit fully that this scenario may be far fetched. Schools may mark students as at risk, at risk, or some other term for the purposes of better serving their needs. These students are the perfect target for a threat actor to try to make an impression on or push their ideology on. A literal prescreend contact list for them.

https://www.cyberpeace.org/resources/blogs/cyber-grooming-an-increasing-threat

Conclusion

So to answer the question, yes. People would want to steal K-12 data for social engineering attacks or to just get paid a ransom. That data that you don’t think is important can be used for nefarious purposes by threat actors. These are only a few examples and I’m sure there could be some other far more creative attacks out there. I’d love to hear about any others that you can think of. So feel free to post them in the comments.

More Links

Just wanted to throw up some more links related to the incident from K12TechPro

https://k12techpro.com/what-we-know-about-the-powerschool-breach-so-far/

https://k12techtalkpodcast.com/e/powerschool-cybersecurity-breach-what-you-need-to-know/