compliance · BleepingComputer
Infinite Campus, an education technology company serving over 3,200 school districts across the United States, experienced a data breach in March affecting more than 137,000 school staff accounts. According to BleepingComputer, the ShinyHunters extortion gang targeted the company's Salesforce instance and leaked a 1.2GB archive of stolen data. Exposed information included names, email addresses, job titles, phone numbers, physical addresses, usernames, and support tickets. Infinite Campus stated that the compromised data consisted primarily of staff directory information commonly found on school websites, with no evidence that customer student databases were accessed.
K-12 institutions and their technology vendors must recognize that Salesforce compromise remains a high-value attack vector for data extortion groups. Schools storing personally identifiable information—even directory-level contact details—should evaluate whether their SaaS vendor relationships include adequate incident response SLAs and credential management controls aligned with NIST 800-171 standards (relevant for school districts handling federal research or grant data). An Omniware engagement can scope vendor security assessment requirements and determine appropriate logging and access review procedures for third-party SaaS instances.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/infinite-campus-data-breach-affects-137-000-school-staff-accounts/
Source: BleepingComputer
All briefings