Unpacking the massive data breach affecting millions of students and educators, and exploring the hidden dangers of stolen childhood identities.
A hacker targeted an unexpected victim in late December 2024: PowerSchool, a company that provides student management systems for the education sector.
As reported by various sources, the threat actor responsible for the PowerSchool breach alleged that they had obtained data from 6,505 school districts across the US, Canada, and other nations as part of an extortion attempt against the company. Overall, the breach affected 62,488,628 students and 9,506,624 teachers.
Although the students managed by PowerSchool might not have significant financial resources, their identities hold substantial value for cybercriminals. For many, a child's identity can be as valuable as an adult's.
Target Group
Cybercriminals are more likely to target and compromise children from wealthier families. Over half of those affected by identity theft belong to households with an annual income over $100,000.
These children typically have more access to social media and other online accounts across various devices. They are also more likely to use payment cards, mobile accounts, online gaming, and other e-commerce platforms that attract cyber criminals, who have become more adept at identifying and exploiting children from affluent families.
Social media use is a common factor among child ID fraud victims. Nearly all victims in the past six years were active social media users when their identities were compromised. This underscores the importance of parents preparing their children for the dangers of social media.
Invisible Crime
When a child's identity is stolen, criminals frequently gain control of their payment accounts, with credit and debit cards being the most commonly compromised.
Using a child's identity enables criminals to effortlessly carry out traceable transactions, making these activities seem legitimate and risk-free. Neither parents nor children typically monitor such breaches, making the stolen information easily exploitable to apply for credit.
Synthetic Identities
When criminals steal children's identities, they repurpose personal information in novel ways. Standard credentials like email usernames and passwords can create synthetic identities, resulting in complete account takeovers or new account fraud.
Cybercriminals use stolen personal data from various sources to construct synthetic identities, crafting a new identity. An identity protection service (IDPS) can help shield children's identities from such attacks.
However, only 5% of parents and guardians reported having their children covered by an IDPS before they fell victim to identity fraud. 95% enrolled their child in an IDPS only after the incident.
According to the 2024 Child & Family Cybersecurity Study by Javelin Strategy & Research, children face numerous online threats, and there are steps parents can take to reduce these risks.
Recommendations
Stay vigilant, use multifactor authentication (MFA), monitor your credit reports, and consider signing up for identity theft protection.
-
Educate your children about the dangers online and how to avoid them.
-
Check with senders by phone to ensure any account-related correspondence you receive is genuine.
-
Verify the authenticity of online content before sharing personal information.
-
Protect yourself from phishing attacks using a hardware security key, such as Yubikey or Google Titan, which can be purchased for as little as $30.
-
Use a password manager to generate and protect your account passwords. Popular options like 1Password or LastPass can do this for you.
"PowerSchool is offering complimentary identity protection services including, if applicable, credit monitoring services, for involved students and educators, regardless of whether an individual’s Social Security Number/Social Insurance Number was exfiltrated.
In countries outside of the U.S. and Canada where the provider provides such services, PowerSchool is offering two years of complimentary identity protection services for all students and educators whose information was involved, regardless of what information about an individual was exfiltrated."
For individuals who reside in the U.S., you can find more information on identity protection services and credit monitoring here: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/
For individuals who reside in Canada, you can find more information on identity protection services and credit monitoring here: https://www.powerschool.com/security/sis-incident/notice-of-canada-data-breach/
For individuals who reside outside the U.S. and Canada, your school or district will have access to information about identity protection services.
Ready to strengthen your organization's identity security?
For more cybersecurity insights, follow Cyderes on LinkedIn and X.
