I’m writing to express deep concern regarding the escalating cyber threats impacting our schools, businesses, and families. Most recently, my children’s elementary school fell victim to the PowerSchool breach, affecting three of my four children. It is alarming to consider a world where even our children cannot attend school without risking identity theft.
A colleague's son, for example, has received his second notification for credit monitoring due to data breaches—despite being under the age of eight. While credit monitoring offers some recourse, it is inadequate in addressing identity theft or the countless hours spent resolving discrepancies. These breaches highlight a systemic failure to secure sensitive data, particularly that of our most vulnerable: our children.
As a cybersecurity professional with over a decade of experience conducting penetration tests for a Fortune 100 company and contributing to bug bounties for firms like Google, I am disheartened by the persistent negligence surrounding data security. A majority of breaches stem from preventable issues such as phishing attacks, inadequate staffing, and subpar security measures by organizations entrusted with sensitive information. Worse still, companies often sell or share customer data with partners who then further fail to secure it. Careless outsourcing compounds these risks.
Schools, in particular, are increasingly targeted, yet their responses often lack urgency or accountability. Refusing to pay ransomware, for example, may uphold the principle of non-compliance, but it leaves children’s data exposed. Unlike customers, children have no choice in the collection or handling of their personal information, making such breaches particularly egregious.
Just to further illustrate the gravity of the irresponsibleness I would like to point out that paying a ransom should in no way, ever constitute as sufficient evidence that the attacker has sufficiently destroyed the stolen data. Such company as no right to claim the ‘data has been recovered’ when speaking to it’s customers or the public. There a number of technical reasons why deleting is insufficient, but even more so, using a criminal’s ‘honor’ as means to quell the concerns of parents is unjustly insulting.
This problem demands a proactive response. We have an opportunity to lead by enacting robust legislation that protects children’s data and holds organizations accountable for negligence.
Key recommendations include:
• Mandatory Security Assessments: Require schools and vendors to conduct regular penetration tests and remediate identified vulnerabilities promptly. Failure to remediate the previous years’ pentest findings or worse failing to even conduct regularly scheduled penetration tests should be grounds for action.
• Transparency in Data Handling: Mandate that schools disclose all third-party entities with access to students’ information, including the purpose and duration of data retention. Children and parents should be proactively informed of all the companies that are holding our minors’ information and to what purpose each entity has in the process.
• Limit Data Sharing: Restrict the dissemination of student data beyond essential parties and prohibit unnecessary data collection, particularly sensitive information like Social Security numbers. The viral spread of childrens’ data across, 3rd, 4th and 5th parties shouldn’t be a requirement to attend school.
• Cybersecurity Expertise in Schools: Require districts to employ cybersecurity professionals to evaluate vendor security claims and oversee data protection measures. Any schools engaging with a digital vendor must have a Cyber Security expert on staff that can reasonably evaluate these companies prior to engaging in any contracts. ISO and PCI certifications are minimums and not the same as ensuring actual security.
• Right to be Forgotten and Stringent Data Destruction Policies: Enforce forensic destruction of data immediately once its purpose is fulfilled, including data stored in backups. The security of data left from 1995, for example, does not stand up to today’s level of security and should never even be at risk to attackers.
• Phishing Education and Accountability: Implement regular phishing simulations for school staff, vendors that contract with schools or any entity that collects data of school children and/or school staff with appropriate consequences for repeated failures.
• A law that prevents the unnecessary collection of sensitive information such as SSN’s on children. Generally speaking, any data collected on anyone under the age of 18 should be highly scrutinized and promptly destroyed once used.
Until we can trust that these companies can actually secure children's data appropriately, they should not be entitled to it nor should we be required to give it.
Thank you for your consideration,
I’m writing to express deep concern regarding the escalating cyber threats impacting our schools, businesses, and families. Most recently, elementary school children and staff fell victim to the PowerSchool breach. It is alarming to consider a world where even children cannot attend school without risking identity theft.
A colleague's son, for example, has received his second notification for credit monitoring due to data breaches—despite being under the age of eight. While credit monitoring offers some recourse, it is inadequate in addressing identity theft or the countless hours spent resolving discrepancies. These breaches highlight a systemic failure to secure sensitive data, particularly that of our most vulnerable: our children.
As a cybersecurity professional with over a decade of experience conducting penetration tests for a Fortune 100 company and contributing to bug bounties for firms like Google, I am disheartened by the persistent negligence surrounding data security. A majority of breaches stem from preventable issues such as phishing attacks, inadequate staffing, and subpar security measures by organizations entrusted with sensitive information. Worse still, companies often sell or share customer data with partners who then further fail to secure it. Careless outsourcing compounds these risks.
Schools, in particular, are increasingly targeted, yet their responses often lack urgency or accountability. Refusing to pay ransomware, for example, may uphold the principle of non-compliance, but it leaves children’s data exposed. Unlike customers, children have no choice in the collection or handling of their personal information, making such breaches particularly egregious.
Just to further illustrate the gravity of the irresponsibleness I would like to point out that paying a ransom should in no way, ever constitute as sufficient evidence that the attacker has sufficiently destroyed the stolen data. Such company as no right to claim the ‘data has been recovered’ when speaking to it’s customers or the public. There a number of technical reasons why deleting is insufficient, but even more so, using a criminal’s ‘honor’ as means to quell the concerns of parents is unjustly insulting.
This problem demands a proactive response. We have an opportunity to lead by enacting robust legislation that protects children’s data and holds organizations accountable for negligence.
Key recommendations include:
• Mandatory Security Assessments: Require schools and vendors to conduct regular penetration tests and remediate identified vulnerabilities promptly. Failure to remediate the previous years’ pentest findings or worse failing to even conduct regularly scheduled penetration tests should be grounds for action.
• Transparency in Data Handling: Mandate that schools disclose all third-party entities with access to students’ information, including the purpose and duration of data retention. Children and parents should be proactively informed of all the companies that are holding our minors’ information and to what purpose each entity has in the process.
• Limit Data Sharing: Restrict the dissemination of student data beyond essential parties and prohibit unnecessary data collection, particularly sensitive information like Social Security numbers. The viral spread of childrens’ data across, 3rd, 4th and 5th parties shouldn’t be a requirement to attend school.
• Cybersecurity Expertise in Schools: Require districts to employ cybersecurity professionals to evaluate vendor security claims and oversee data protection measures. Any schools engaging with a digital vendor must have a Cyber Security expert on staff that can reasonably evaluate these companies prior to engaging in any contracts. ISO and PCI certifications are minimums and not the same as ensuring actual security.
• Right to be Forgotten and Stringent Data Destruction Policies: Enforce forensic destruction of data immediately once its purpose is fulfilled, including data stored in backups. The security of data left from 1995, for example, does not stand up to today’s level of security and should never even be at risk to attackers.
• Phishing Education and Accountability: Implement regular phishing simulations for school staff, vendors that contract with schools or any entity that collects data of school children and/or school staff with appropriate consequences for repeated failures.
• A law that prevents the unnecessary collection of sensitive information such as SSN’s on children. Generally speaking, any data collected on anyone under the age of 18 should be highly scrutinized and promptly destroyed once used.
Until we can trust that these companies can actually secure children's data appropriately, they should not be entitled to it nor should we be required to give it.
Thank you for your consideration,