The Weekly Breach Breakdown Podcast by ITRC - Detention In Session - S6E3

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC) Weekly Breach Breakdown for January 24, 2025. I'm Alex Achten, Senior Director of Communications & Media Relations of the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we will examine the PowerSchool data breach, which likely impacted students across the country, and another full of location data that threatens the privacy of millions. 

When I was in middle school, if I acted out, I’d get sent out of the classroom to fill out a yellow sheet. You don’t want to fill one of those out. If I received enough yellow sheets, that meant detention. Detention is in session for PowerSchool after the school software company suffered a data event that may have exposed the personal information of millions of kids, putting them at risk of an identity crime. 

What do we know about the PowerSchool data breach? Threat actors accessed PowerSchool’s student information system in December with stolen credentials. PowerSchool then paid for a video of the cybercriminals deleting it, even though PowerSchool claimed it was not a ransomware attack. As of the recording of this podcast, PowerSchool has not disclosed the complete list of schools or the number of students impacted. However, several individual schools and school districts have reported being victims of the cyberattack. GovernmentInfoSecurity reports that at least 23 lawsuits have been filed against the maker of the PowerSchool software. 

Bleeping Computer reports that the attack against the cloud-based software solutions provider for K-12 schools, which supports over 60 million students and 18,000 customers, could have led to stolen names, addresses, phone numbers, Social Security numbers (SSNs), bus stops, passwords, student IDs, parent information and medical information for impact students. For teachers, that data could include their names, addresses, phone numbers, SSNs and passwords. You can read our podcast transcript for a list of impacted school districts. 

ITRC President James E. Lee spoke with NBC Boston and FOX Memphis about the PowerSchool data breach and urged parents to immediately start the process of freezing their children’s credit. “A child’s data is a clean slate. The likelihood that an identity criminal will get caught is much lower because they don’t have a credit report.” Lee told Reporter Kate Bieri. 

Child identity theft victims often don’t discover it until there have been years of damage. To freeze your child’s credit, visit Equifax, TransUnion and Experian’s websites. Create a credit profile for your child and then freeze their credit. You may have to mail in documents. However, it is free and, more importantly, worth the time and effort. ITRC CEO Eva Velasquez also spoke with Bieri about how to freeze your child’s credit. You can also find that in our transcript. 

In other news, a data breach at location data broker Gravy Analytics is threatening the privacy of millions of people around the world whose smartphone apps revealed their location data collected by the company. According to TechCrunch’s article on the Gravy Analytics data breach, while the full scale of the data event is unknown, the alleged criminal has already published a large sample of location data from top consumer phone apps, including fitness and health, dating, transit apps and popular games. The data represents tens of millions of location data points of where people have been, lived, worked and traveled. 

Baptiste Robert, the CEO of digital security firm Predicta Lab, who obtained a copy of the leaked dataset from the Gravy Analytics data breach, said in a thread on X that the dataset contained more than 30 million location data points. This includes devices located at The White House, the Kremlin in Moscow, Vatican City and military bases worldwide.  

There are actions you can take to protect yourself from advertising surveillance. If you have an Apple device, go to the “Tracking” options in your Settings and switch off the setting for “app requests to track”. This zeroes out your device’s unique identifier, making it indistinguishable from anyone else’s. For Android, go to the “Privacy” and then “Ads” section of your phone’s settings. If the option is available, delete your advertising ID to prevent any app on your phone from accessing your device’s unique identifier in the future. You should still regularly reset your advertising IDs even if yours does not have this setting. 

Mentioning data breaches, the ITRC will release its 19th annual Data Breach Report at the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum hosted by the Better Identity Coalition, the FIDO Alliance and the ITRC on January 28. There are lots of findings that will make you do at least a couple of double-takes. James E. Lee will discuss all of the findings from the report on next week’s Fraudian Slip podcast. You can download the report on our website, www.idtheftcenter.org, by clicking “Reports” under the “Resources” tab beginning January 28. 

If you want to know more about the PowerSchool data breach, Gravy Analytics data breach, how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. Be sure to tune in to our Fraudian Slip podcast to catch James's 2024 data breach analysis. We will return in two weeks with another episode of the Weekly Breach Breakdown. I'm Alex Achten. Until then, thanks for listening.