On Understanding and Accepting Risk
1–21–2025 (Tuesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, January 23, 2025, and we’re coming off of both the Martin Luther King, Jr. holiday an Inauguration Day here in the US.
Unfortunately, we’re going to continue our conversation from last week around PowerSchool but hopefully you and I can take some lessons from their experience.
On Understanding and Accepting Risks
If you didn’t watch last week, ed-tech company PowerSchool suffered a breach in December that impacted some 60 million students across 18,000 K-12 school district customers.
This is not just name, address, and social security numbers, either - though that data also appears to have been stolen - but because of how some districts used their PowerSchool tools, reports now indicate that lost data includes:
“parental access rights to their children, including restraining orders, and information about when certain students need to take their medications”
As someone with elementary aged children, not only is this both frustrating and infuriating - but we’re also likely dealing with both HIPAA and FERPA regulatory exposure here.
In fact, news this week indicates that PowerSchool is already facing at least 23 class action law suits over this breach, and many districts have been using this platform for 15+ years, meaning that students who graduated over a decade ago may be impacted.
Since the story broke, we’ve learned more about what happened - “PowerSchool told its customers that the hackers broke into the company’s systems using a single compromised maintenance account associated with a technical support subcontractor to PowerSchool.”
Beyond that, “PowerSchool spokesperson Beth Keebler confirmed to TechCrunch on Friday the subcontractor’s account used to breach the customer support portal was not protected with multi-factor authentication.”
Interestingly, none of this information appears on PowerSchool’s official breach page, but it does beg the question about how, exactly, did this account get compromised?
It appears it was nothing more than common endpoint malware designed to steal credentials saved in browsers:
“According to a source with knowledge of cybercriminal operations, logs obtained from the computer of an engineer working for PowerSchool show that their device was hacked by the prolific LummaC2 infostealing malware prior to the cyberattack.
The cache of LummaC2 logs, seen by TechCrunch, include the engineer’s passwords, browsing history from two of their web browsers, and a file containing identifiable and technical information about the engineer’s computer.
Some of the stolen credentials appear to be associated with PowerSchool’s internal systems.
The malware logs contain the engineer’s passwords for PowerSchool’s source code repositories, its Slack messaging platform, its Jira instance for bug and issue tracking, and other internal systems. The engineer’s browsing history also shows they had broad access to PowerSchool’s account on Amazon Web Services, which included full access to the company’s AWS-hosted S3 cloud storage servers.
The engineer’s computer also stored several sets of credentials belonging to other PowerSchool employees, which TechCrunch has seen. The credentials appear to allow similar access to the company’s Slack, source code repositories, and other internal company systems.”
In many ways, cybersecurity is not complicated, but it is extremely complex - including the dynamics in play here. This all begs the question: Can you accept a risk you don’t understand?
As security practitioners, we often help clients weight the risks against the efforts required to reduce the risk. In some cases, it makes total sense to “accept a risk” - know that something might happen, but the likelihood or impact is reasonable enough to sustain should the risk event occur.
Unfortunately, however, it doesn’t appear that this risk was fully understood by either PowerSchool or its customers - particularly the impact portion.
The clear lesson here for us, then, is around ensuring that our decision makers on the business side truly understand what events like this would mean for the business - particularly in instances where a significant amount of our data or operations rely on a third party.
Now, this is not to say that any of these districts could have understood the risks inherent in a third party’s subcontractor (so-called “fourth party” or even “n-th party” risk inherent in your vendor’s vendors), but rather that they understood the catastrophic impact of such a loss in a way that was meaningful when they both made the initial decision and continued to make such a decision with each contract renewal.
The world runs on third party relationships, so I don’t want to over-index the fear factor on this, but I do think this story is quickly becoming an example of how contractual obligations can help cover this risk (i.e. contractually requiring PowerSchool to enforce your chosen security controls onto their vendors - which doesn’t appear to have happened here).
Like I said, most of this isn’t particularly complicated, but it can be dauntingly complex. Helping your decision makers navigate these challenges is a real opportunity for security pros in instances like this.
Fundraising
From a fundraising perspective, holy cow are we back in a big way for 2025, thanks entirely to French buy-out firm Ardian, who put up $30 billion for its ninth private equity secondaries fund.
Coming in a distant second this week is Insight Partners, who raised a combined $12.5b for its 13th flagship fund and secondary opportunities fund.
Grand total for the week? $46.9B.
Running theme? Secondaries.
When IPOs are hard to come by, the secondary market heats up - and these two big bets indicate that at least some material number of investors see this as a continuing trend.
We’re seeing some tepid IPO interest - this week led by Thoma Bravo’s security play Sailpoint - who went private for $6.9B in 2022. We’ll see how that works out for them when the dust has settled.
My hunch? Plenty of action on the secondary market in 2025, less so in the public markets.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.powerschool.com/security/sis-incident/
https://www.bankinfosecurity.com/powerschool-faces-23-lawsuits-over-schools-mega-data-breach-a-27331