When Does This Become “Our” Breach?
1–13–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, January 13, 2025, and if the first two weeks of 2025 are any indicator from a cyber news perspective, we’re gonna be in for a long year, folks.
I want to pull a couple of headlines from the past week and give you a thought experiment that you should ponder yourself, and with your team and your leadership.
Here’s the question:
When Does This Become “Our” Breach?
It was reported this week that ed-tech company PowerSchool suffered a breach in December.
For those not often in the K-12 space, PowerSchool is “the largest provider of cloud-based education software for K-12,” and supports 16,000 school districts with 50-60M students across the United States.
There’s been a few news stories covering this event since PowerSchools sent their own emails to clients. Unfortunately, it appears that the product impacted, PowerSchool Student Information System (SIS), included “student Social Security numbers, grades, and medical information” - and it’s unclear from PowerSchools just how many students were impacted, but users are assuming the worst. PowerSchools has said that they worked with an outside firm to ensure that the stolen data was deleted, but beyond that, details are pretty light (though I would note that it appears it was a set of compromised credentials from the support side of the organization that led to the breach - a reminder of the value of MFA and the role of “least privilege” - neither of which appear to have been in play here).
The larger issue that this raises - for school districts, in this case - is one that you’ll eventually encounter yourself if you haven’t already, which is “When does this become ‘our’ breach?”
We’re already seeing local media coverage from school leaders who are acknowledging the incident, and coverage about how others are being silent on it.
This is an understandably difficult set of events to navigate. Was the school district hacked? No - but the reality is that their most sensitive student data was stolen, and the district is the one who chose and utilized the vendor.
This is becoming more and more common, and in many ways is just a matter of time before you’ve got to face this dilemma yourself, if you haven’t already.
So I would offer the following as thought experiments / discussion topics / table top exercises for you and your technical and leadership teams:
Do we have an understanding of which vendors have the highest amounts of our most sensitive data (whatever that is for your organization)?
Do we have any sense of a risk assessment, third-party risk management, or contractual clauses relating to cybersecurity with these vendors?
What would happen if those vendors had a total breach (no sense in messing about with little things here - go whole hog).
This would be things like logs (would you be able to determine what data was impacted?) to communications channels (the security folks at the vendor, not the sales team) as well as external communications for your own organization.
What are the implications for your own insurance, regulatory, or litigation impacts if that data was lost by a vendor?
We’re going to see some of this play out in real time at all of these districts - particularly the public ones whose communications are subject to information requests, such as the fact that here in Washington State you can request any email sent or received by a district employee.
Tackling these issues in real-time with no preparation is frankly overwhelming, and unrealistic to expect your team to handle it all as it comes up.
Some pre-planning and pre-positioning is necessary - so if you haven’t run through the exercises above, put them on your list. Indications are that targeting of large providers like this is going to continue in 2025, regardless of your industry.
Fundraising
From a fundraising perspective, we’re seeing a slow start to the year, with only (“only”) $8.2B in newly committed capital last week, with most of it coming from a couple of funds, including:
FTV Capital, who raised $3.4b for its eighth growth equity fund and $651m for an early-stage fund called Ascend; and
Vistria Group of Chicago raised $3b for its fifth flagship PE fund.
To close, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.newsday.com/long-island/education/powerschool-long-island-school-districts-wubu4rgz