Critical Cybersecurity Breaches: OneDrive Default Settings, PowerSchuttool Ransom, and Doge Staffer Compromises

Fri May 09 2025

In this episode of Cybersecurity Today, host Jim Love discusses recent cybersecurity breaches and vulnerabilities. Key topics include a security flaw in the new default setting of Microsoft OneDrive, a ransom incident involving PowerSchuttool that...

Summary

Cybersecurity Today: Episode Summary Host: Jim Love | Release Date: May 9, 2025

In the latest episode of Cybersecurity Today, host Jim Love delves into three significant cybersecurity breaches that have sent shockwaves through the industry. From vulnerabilities in widely-used software to the repercussions of ransomware payments and the alarming compromises within government agencies, this episode provides a comprehensive overview of the current cybersecurity landscape.

1. Microsoft OneDrive's Security Vulnerability

The episode kicks off with a critical analysis of a new default setting introduced by Microsoft in OneDrive. Jim Love highlights how this seemingly innocuous update has opened doors for potential security breaches.

Key Points:

Default Settings as Vulnerabilities: Love emphasizes that factory default settings often assume a level of security that may not be adequate, leading to multiple vulnerabilities known to hackers.
Paolo C.'s Warning: Drawing attention to a LinkedIn post by Paolo C. from Bear Security, Love explains the new OneDrive feature that allows users to synchronize personal and corporate accounts with a single click. This bypasses essential security protocols, lacking controls, logging mechanisms, and corporate policy enforcement.

“This creates a substantial risk of sensitive corporate data being unintentionally or maliciously transferred to personal unmanaged environments.” — Paolo C., Bear Security [02:15]
Proposed Solution: Paolo recommends disabling the feature using the Disable Personal Sync Group Policy setting to mitigate the risk of data exfiltration and potential compliance breaches.

“It's very important that your IT team immediately verify the status of this policy and take necessary actions as your organization's risk appetite sees fit.” — Paolo C. [03:05]
Call for Enhanced Oversight: Love advocates for stricter oversight by security professionals, suggesting that even cloud software should come with prominent warnings and require approval from a signing officer to ensure proper installation and configuration.

“We've had far too many examples of everything from configuration risks to storage buckets left without protection. Isn't it time to put an end to this?” — Jim Love [04:20]

2. PowerSchool Ransom Payment and TDSB's Second Threat

The conversation shifts to the troubling case of PowerSchool, a US-based software firm, which recently paid a multimillion-dollar ransom to prevent the release of stolen student data. However, the story takes a darker turn as it emerges that the attackers did not delete the data as promised.

Key Points:

Initial Ransom Payment: PowerSchool paid the ransom to keep the stolen student data private, providing assurances and even a video purportedly showing the data deletion.

“We believed it to be in the best interest of our customers, the students, and the communities we serve.” — PowerSchool Representative [05:30]
TDSB's New Ransom Demand: The Toronto District School Board (TDSB), one of PowerSchool's largest clients, has now been targeted with a new ransom demand, indicating that the initial promise to delete the data was unfulfilled.

“Paying a ransom doesn't mean you'll get your data back, and that it won't be leaked anyway.” — Jim Love [07:45]
Implications for School Boards:
- Legacy Data Risks: The breach underscores the dangers of retaining outdated personal data, which increases liability.
- Weak Vendor Security: Reliance on vendors like PowerSchool without stringent security measures poses significant risks.
- Misplaced Trust in Criminals: The incident highlights the futility of trusting cybercriminals to honor agreements.
Accountability and Resource Challenges: Love discusses the broader implications for school boards and public agencies, emphasizing that they often lack the resources and expertise to handle such cybersecurity threats effectively.

“Senior governments may have to finally take some action here. School boards and cities don't have the resources or the expertise to properly deal with cybersecurity issues.” — Jim Love [10:20]

3. Doge Staffer Compromise: A Government Cybersecurity Crisis

The final segment addresses a severe breach involving a Doge staffer, raising concerns about the security protocols within federal agencies.

Key Points:

Incident Overview: Kyle Schutt, a software engineer working for the Department of Government Efficiency (DOGE), had his personal computer compromised by info-stealing malware. This breach potentially exposed sensitive credentials from critical government systems.

“Having a hacked computer connected to any government agency or department is a serious matter.” — Jim Love [12:10]
Access to Sensitive Information: Schutt’s roles at both FEMA and the Government Security Agency (CISA) meant that the compromised credentials could grant malicious actors access to some of the most sensitive government networks.
Persistence of Malware Threats: The episode underscores the relentless nature of info-stealing malware, which can infiltrate systems stealthily and remain undetected for extended periods.

“The compromised credentials were discovered in leaked stealer logs, providing malicious actors with access to sensitive systems.” — Jim Love [14:00]
Lax Security Protocols at DOGE: According to investigative journalist Micah Lee, Schutt’s credentials have been exposed multiple times, indicating systemic issues within DOGE regarding access controls and monitoring.

“If Doge employees have absolute access to agency systems with no restrictions, combined with sloppy security practices, this could represent the greatest cybersecurity threat in U.S. history.” — Jim Love [16:25]
Upcoming Revelations: Love hints at an upcoming interview with a whistleblower who will shed more light on the extent of DOGE's security lapses, drawing parallels to the Watergate scandal in terms of its potential impact.

“We are at a pivotal point in history.” — Jim Love [17:50]

Concluding Insights

Jim Love wraps up the episode by expressing his frustration over the recurring nature of these cybersecurity issues, emphasizing the need for accountability at higher organizational levels rather than placing the burden solely on overworked IT and security staff.

“The key word is accountability, and while it's become fashionable to put that under the CISO or under overworked IT and security staff, it's just not fair because in all too many cases what these people say can be overruled and all too often is.” — Jim Love [19:10]

Love invites listeners to engage by sharing their thoughts and experiences, reinforcing the community-driven approach essential for combating cybersecurity threats.

Stay Informed: For those looking to bolster their cybersecurity measures, this episode serves as a crucial reminder of the evolving threats and the importance of proactive security management. Whether you're part of a large organization or a smaller entity, the insights shared by Jim Love highlight the necessity of vigilance, proper configuration, and unwavering accountability in safeguarding sensitive data.

For more detailed discussions and expert interviews, tune in to the next episode of Cybersecurity Today.

Transcript

Jim Love (0:01)

A new default setting on Microsoft OneDrive creates a security vulnerability. PowerSchool paid the ransom, but the attackers didn't delete the data. And Canada's largest school board is hit with a second threat over student data. And a Doge staffer's computer was breached by info stealing malware. Is Doge now the biggest cybersecurity compromise of our lifetime? This is Cybersecurity Today. I'm your host, Jim Love. Microsoft does it Again out of the Box Protocols lead to huge vulnerabilities We've spoken about this before. The risks involved in assuming that factory default settings for software represent adequate security. In many cases, including this one, the default settings can lead to multiple vulnerabilities. And of course, the vulnerabilities are widely known by hackers. The warning comes courtesy of a LinkedIn poster Paolo see from a company called Bear Security. Paolo points out that a new feature for Microsoft OneDrive prompt to add personal accounts to OneDrive sync is scheduled to be rolled out this month. The update introduces a significant security vulnerability by enabling users to synchronize their OneDrive accounts and corporate accounts with a single click. But Paulo goes on to explain that of course this default setting bypasses established security protocols as it lacks inherent controls, logging mechanisms, and corporate policies governing synchronization of personal accounts on business devices. Consequently, he says, this creates a substantial risk of sensitive corporate data being unintentionally or maliciously transferred to personal unmanaged environments. Palo proposes a means of fixing this issue, which is avoiding a potential data leak. Apollo proposes a means of fixing this issue and avoiding a potential data leak, and that is disabling the feature through the Disable Personal Sync Group policy setting. Given the ease of data exfiltration and the potential for severe compliance and security breaches, it's very important that your IT team immediately verify the status of this policy with their organizations and take any necessary actions as your organization's risk appetite sees fit. So a shout out to Paolo and a warning that even software as a service or cloud software requires proper oversight by a trained security professional. We believe there should actually be a big warning on the download page to that effect, and perhaps even an approval from a signing officer that proper installation and configuration will be done. We've had far too many examples of everything from configuration risks to storage buckets left without protection. Isn't it time to put an end to this? Months ago, US based software firm PowerSchool paid a multimillion dollar ransom to stop the release of stolen student data from its thousands of customers across Canada and the U.S. in return, PowerSchool received assurances from the hackers that its data had been deleted, including a video purporting to show the actual deletion of the data. We're now finding out that, surprise, surprise, criminals can't be trusted. One of PowerSchool's largest customers and one of Canada's largest school boards and the fourth largest school board in North America, the Toronto District School Board. Tdsb, says it's been hit with a new ransom demand and proof that the attackers never deleted the data. Sensitive student records, perhaps dating back as much as a decade or more, are once again at risk. The TDSB revealed that it was contacted this week by a threat actor claiming to possess student data from the original December 2024 breach. That incident, which affected multiple Greater Toronto Area boards, involved stolen records from the PowerSchool student information system, including names, birth dates, health card numbers, medical history and more. At the time of the breach, PowerSchool told school boards that the stolen data had been deleted and no copies had surfaced online. The company later confirmed that it had paid the ransom in an attempt to keep the data private, saying, we believed it to be in the best interest of our customers, the students and the communities we serve. But now that data is once again being used to pressure the tdsb, confirming fears that cybercriminals may not actually honor their agreement. This incident raises hard questions about paying ransoms to cybercriminals, a tactic increasingly discouraged by law enforcement. The TDSB says It's working with PowerSchool, police and Ontario's privacy watchdog. But parents and students remain exposed and the breach highlights three long standing vulnerabilities. Legacy data, weak vendor security and misplaced trust in criminals. Promises there will be fallout from this for many months to come and who knows what other school boards will be affected or what information will or will not be disclosed. As we've discussed earlier in our last month in review show, the huge budgets of these school boards are often public information and crooks may think that this makes them an attractive target. The reality is that the TDSB runs a deficit and it couldn't possibly raise the money to pay a ransom unless they have an insurer who will put up the money. The number one lesson to be learned is that paying a ransom doesn't mean you'll get your data back and that it won't be leaked anyway. You're dealing with criminals. A second lesson to be learned is that school boards and public agencies must reevaluate data retention practices and vendor risk management simply storing decades of personal data, much of it no longer relevant, creates unnecessary liability. And as the Privacy Commissioner of Ontario pointed out, while PowerSchool may have the software that was breached, you cannot delegate accountability. The TDSB is ultimately accountable. Or are they? See, senior governments may have to finally take some action here. School boards and cities don't have the resources or the expertise to properly deal with cybersecurity issues. Nor is it efficient that each individual school board, or in some cases perhaps even individual schools, have to deal with these issues. If the largest board in Canada, the fourth largest in North America, doesn't have the resources and the skills to properly deal with this, how can we expect smaller municipalities to even begin to address it? And it may be different in the U.S. but in Canada, the provinces have ultimate responsibility for education, and if anybody steps into their territory, they're the first ones to say, hey, we're in charge here. Except when it comes to spending money or solving this problem. And as the Ontario Privacy Commissioner pointed out, you can't delegate accountability. Glad to hear from you on this or any examples from other jurisdictions. Kyle schutt is a 30 something year old software engineer who, according to Dropsite News, gained access in February to core financial management systems belonging to the Federal Emergency Management Agency, or fema. And he was working at the time for the Department of Government Efficiency, or doge, and he had his personal computer compromised by info stealing malware. Now, this breach could have resulted in the exposure of sensitive credentials, and it raised some concerns about the security protocols within federal agencies. But it doesn't stop there. In addition to his role at fema, Shut also worked at the Government Security Agency, or cisa, where he might have had access to some of the most sensitive information on government networks. In addition to cybersecurity issues, the compromised credentials were discovered in leaked stealer logs, which are collections of data harvested by malware that's designed to extract information like saved passwords, browser data, and even session tokens. These logs are often sold on dark web marketplaces, providing malicious actors with access to sensitive systems. In this case, the logs contain credentials linked to various government platforms, potentially jeopardizing the integrity of critical infrastructure. And the incident not only highlights the persistent threat posed by info stealing malware, which can infiltrate systems without immediate detection, but it also highlights the security risks posed by DOGE staffers, who are increasingly getting a reputation for both having extraordinary access to US Government systems and combining that with a disregard for proper security protocols. According to journalist Micah Lee, usernames and passwords belonging to Shut have been published at least four times since 2023 in logs from stealer malware. Besides pilfering login credentials, stealers could also be capturing keystrokes or screen output, and that data would be sent directly to the attacker. But Lee notes, I have no way of knowing exactly when Schutz's computer was hacked or how many times, and apparently neither do his employers, because no one has checked the dark web or possibly even checked have I been pwned. Having a hacked computer connected to any government agency or department is a serious matter. But the number of security incidents and warning signs from DOGE access is unprecedented. And if you tune in this weekend to our interview show, we have as our guest a whistleblower who, among other things, will reveal that Doge employees, at least in his case, appeared to have absolute access to agency systems with no restrictions on what they could see or do. And if that's a consistent policy of Doge, combined with the sloppiness we've seen from their employees, this could indeed represent the greatest cybersecurity threat in U.S. history. The story we'll tell this weekend has been revealed both to Congress and other journalists, so we didn't find out about it in a parking garage. But despite that, when I finished the interview, I remarked to my wife that my hands were shaking and I knew in the moment what Haldeman and Ehrlichman must have felt like when they first got the story of the Watergate burglary. We are at a pivotal point in history. Am I exaggerating? Listen in this weekend judge for yourself. The show drops at 3:00am Eastern Time on Saturday morning and that's our show. Sorry if my frustration showed in a couple of stories. It's just really difficult to keep reporting on issues that should be fixed. The key word is accountability, and while it's become fashionable to put that under the CISO or under overworked IT and security staff, it's just not fair because in all too many cases what these people say can be overruled and all too often is. Anyway, that's my opinion. As always, I'd love to hear your thoughts, agree or disagree. And if you want to get a shout out, let us know of any issues that you see in your day to day work. You could reach me at editorialechnewsday CA, you can find me on LinkedIn or if you're watching on YouTube, just drop a note under the video. I'm your host Jim Love. Thanks for listening.

Summary

Cybersecurity Today: Episode Summary Host: Jim Love | Release Date: May 9, 2025

1. Microsoft OneDrive's Security Vulnerability

Key Points:

Default Settings as Vulnerabilities: Love emphasizes that factory default settings often assume a level of security that may not be adequate, leading to multiple vulnerabilities known to hackers.
Paolo C.'s Warning: Drawing attention to a LinkedIn post by Paolo C. from Bear Security, Love explains the new OneDrive feature that allows users to synchronize personal and corporate accounts with a single click. This bypasses essential security protocols, lacking controls, logging mechanisms, and corporate policy enforcement.

“This creates a substantial risk of sensitive corporate data being unintentionally or maliciously transferred to personal unmanaged environments.” — Paolo C., Bear Security [02:15]
Proposed Solution: Paolo recommends disabling the feature using the Disable Personal Sync Group Policy setting to mitigate the risk of data exfiltration and potential compliance breaches.

“It's very important that your IT team immediately verify the status of this policy and take necessary actions as your organization's risk appetite sees fit.” — Paolo C. [03:05]
Call for Enhanced Oversight: Love advocates for stricter oversight by security professionals, suggesting that even cloud software should come with prominent warnings and require approval from a signing officer to ensure proper installation and configuration.

“We've had far too many examples of everything from configuration risks to storage buckets left without protection. Isn't it time to put an end to this?” — Jim Love [04:20]

2. PowerSchool Ransom Payment and TDSB's Second Threat

Key Points:

Initial Ransom Payment: PowerSchool paid the ransom to keep the stolen student data private, providing assurances and even a video purportedly showing the data deletion.

“We believed it to be in the best interest of our customers, the students, and the communities we serve.” — PowerSchool Representative [05:30]
TDSB's New Ransom Demand: The Toronto District School Board (TDSB), one of PowerSchool's largest clients, has now been targeted with a new ransom demand, indicating that the initial promise to delete the data was unfulfilled.

“Paying a ransom doesn't mean you'll get your data back, and that it won't be leaked anyway.” — Jim Love [07:45]
Implications for School Boards:
- Legacy Data Risks: The breach underscores the dangers of retaining outdated personal data, which increases liability.
- Weak Vendor Security: Reliance on vendors like PowerSchool without stringent security measures poses significant risks.
- Misplaced Trust in Criminals: The incident highlights the futility of trusting cybercriminals to honor agreements.
Accountability and Resource Challenges: Love discusses the broader implications for school boards and public agencies, emphasizing that they often lack the resources and expertise to handle such cybersecurity threats effectively.

“Senior governments may have to finally take some action here. School boards and cities don't have the resources or the expertise to properly deal with cybersecurity issues.” — Jim Love [10:20]

3. Doge Staffer Compromise: A Government Cybersecurity Crisis

The final segment addresses a severe breach involving a Doge staffer, raising concerns about the security protocols within federal agencies.

Key Points:

Incident Overview: Kyle Schutt, a software engineer working for the Department of Government Efficiency (DOGE), had his personal computer compromised by info-stealing malware. This breach potentially exposed sensitive credentials from critical government systems.

“Having a hacked computer connected to any government agency or department is a serious matter.” — Jim Love [12:10]
Access to Sensitive Information: Schutt’s roles at both FEMA and the Government Security Agency (CISA) meant that the compromised credentials could grant malicious actors access to some of the most sensitive government networks.
Persistence of Malware Threats: The episode underscores the relentless nature of info-stealing malware, which can infiltrate systems stealthily and remain undetected for extended periods.

“The compromised credentials were discovered in leaked stealer logs, providing malicious actors with access to sensitive systems.” — Jim Love [14:00]
Lax Security Protocols at DOGE: According to investigative journalist Micah Lee, Schutt’s credentials have been exposed multiple times, indicating systemic issues within DOGE regarding access controls and monitoring.

“If Doge employees have absolute access to agency systems with no restrictions, combined with sloppy security practices, this could represent the greatest cybersecurity threat in U.S. history.” — Jim Love [16:25]
Upcoming Revelations: Love hints at an upcoming interview with a whistleblower who will shed more light on the extent of DOGE's security lapses, drawing parallels to the Watergate scandal in terms of its potential impact.

“We are at a pivotal point in history.” — Jim Love [17:50]

Concluding Insights

“The key word is accountability, and while it's become fashionable to put that under the CISO or under overworked IT and security staff, it's just not fair because in all too many cases what these people say can be overruled and all too often is.” — Jim Love [19:10]

Love invites listeners to engage by sharing their thoughts and experiences, reinforcing the community-driven approach essential for combating cybersecurity threats.

For more detailed discussions and expert interviews, tune in to the next episode of Cybersecurity Today.