Critical Cybersecurity Breaches: OneDrive Default Settings, PowerSchuttool Ransom, and Doge Staffer Compromises

Jim Love

A new default setting on Microsoft OneDrive creates a security vulnerability. PowerSchool paid the ransom, but the attackers didn't delete the data. And Canada's largest school board is hit with a second threat over student data. And a Doge staffer's computer was breached by info stealing malware. Is Doge now the biggest cybersecurity compromise of our lifetime? This is Cybersecurity Today. I'm your host, Jim Love. Microsoft does it Again out of the Box Protocols lead to huge vulnerabilities We've spoken about this before. The risks involved in assuming that factory default settings for software represent adequate security. In many cases, including this one, the default settings can lead to multiple vulnerabilities. And of course, the vulnerabilities are widely known by hackers. The warning comes courtesy of a LinkedIn poster Paolo see from a company called Bear Security. Paolo points out that a new feature for Microsoft OneDrive prompt to add personal accounts to OneDrive sync is scheduled to be rolled out this month. The update introduces a significant security vulnerability by enabling users to synchronize their OneDrive accounts and corporate accounts with a single click. But Paulo goes on to explain that of course this default setting bypasses established security protocols as it lacks inherent controls, logging mechanisms, and corporate policies governing synchronization of personal accounts on business devices. Consequently, he says, this creates a substantial risk of sensitive corporate data being unintentionally or maliciously transferred to personal unmanaged environments. Palo proposes a means of fixing this issue, which is avoiding a potential data leak. Apollo proposes a means of fixing this issue and avoiding a potential data leak, and that is disabling the feature through the Disable Personal Sync Group policy setting. Given the ease of data exfiltration and the potential for severe compliance and security breaches, it's very important that your IT team immediately verify the status of this policy with their organizations and take any necessary actions as your organization's risk appetite sees fit. So a shout out to Paolo and a warning that even software as a service or cloud software requires proper oversight by a trained security professional. We believe there should actually be a big warning on the download page to that effect, and perhaps even an approval from a signing officer that proper installation and configuration will be done. We've had far too many examples of everything from configuration risks to storage buckets left without protection. Isn't it time to put an end to this? Months ago, US based software firm PowerSchool paid a multimillion dollar ransom to stop the release of stolen student data from its thousands of customers across Canada and the U.S. in return, PowerSchool received assurances from the hackers that its data had been deleted, including a video purporting to show the actual deletion of the data. We're now finding out that, surprise, surprise, criminals can't be trusted. One of PowerSchool's largest customers and one of Canada's largest school boards and the fourth largest school board in North America, the Toronto District School Board. Tdsb, says it's been hit with a new ransom demand and proof that the attackers never deleted the data. Sensitive student records, perhaps dating back as much as a decade or more, are once again at risk. The TDSB revealed that it was contacted this week by a threat actor claiming to possess student data from the original December 2024 breach. That incident, which affected multiple Greater Toronto Area boards, involved stolen records from the PowerSchool student information system, including names, birth dates, health card numbers, medical history and more. At the time of the breach, PowerSchool told school boards that the stolen data had been deleted and no copies had surfaced online. The company later confirmed that it had paid the ransom in an attempt to keep the data private, saying, we believed it to be in the best interest of our customers, the students and the communities we serve. But now that data is once again being used to pressure the tdsb, confirming fears that cybercriminals may not actually honor their agreement. This incident raises hard questions about paying ransoms to cybercriminals, a tactic increasingly discouraged by law enforcement. The TDSB says It's working with PowerSchool, police and Ontario's privacy watchdog. But parents and students remain exposed and the breach highlights three long standing vulnerabilities. Legacy data, weak vendor security and misplaced trust in criminals. Promises there will be fallout from this for many months to come and who knows what other school boards will be affected or what information will or will not be disclosed. As we've discussed earlier in our last month in review show, the huge budgets of these school boards are often public information and crooks may think that this makes them an attractive target. The reality is that the TDSB runs a deficit and it couldn't possibly raise the money to pay a ransom unless they have an insurer who will put up the money. The number one lesson to be learned is that paying a ransom doesn't mean you'll get your data back and that it won't be leaked anyway. You're dealing with criminals. A second lesson to be learned is that school boards and public agencies must reevaluate data retention practices and vendor risk management simply storing decades of personal data, much of it no longer relevant, creates unnecessary liability. And as the Privacy Commissioner of Ontario pointed out, while PowerSchool may have the software that was breached, you cannot delegate accountability. The TDSB is ultimately accountable. Or are they? See, senior governments may have to finally take some action here. School boards and cities don't have the resources or the expertise to properly deal with cybersecurity issues. Nor is it efficient that each individual school board, or in some cases perhaps even individual schools, have to deal with these issues. If the largest board in Canada, the fourth largest in North America, doesn't have the resources and the skills to properly deal with this, how can we expect smaller municipalities to even begin to address it? And it may be different in the U.S. but in Canada, the provinces have ultimate responsibility for education, and if anybody steps into their territory, they're the first ones to say, hey, we're in charge here. Except when it comes to spending money or solving this problem. And as the Ontario Privacy Commissioner pointed out, you can't delegate accountability. Glad to hear from you on this or any examples from other jurisdictions. Kyle schutt is a 30 something year old software engineer who, according to Dropsite News, gained access in February to core financial management systems belonging to the Federal Emergency Management Agency, or fema. And he was working at the time for the Department of Government Efficiency, or doge, and he had his personal computer compromised by info stealing malware. Now, this breach could have resulted in the exposure of sensitive credentials, and it raised some concerns about the security protocols within federal agencies. But it doesn't stop there. In addition to his role at fema, Shut also worked at the Government Security Agency, or cisa, where he might have had access to some of the most sensitive information on government networks. In addition to cybersecurity issues, the compromised credentials were discovered in leaked stealer logs, which are collections of data harvested by malware that's designed to extract information like saved passwords, browser data, and even session tokens. These logs are often sold on dark web marketplaces, providing malicious actors with access to sensitive systems. In this case, the logs contain credentials linked to various government platforms, potentially jeopardizing the integrity of critical infrastructure. And the incident not only highlights the persistent threat posed by info stealing malware, which can infiltrate systems without immediate detection, but it also highlights the security risks posed by DOGE staffers, who are increasingly getting a reputation for both having extraordinary access to US Government systems and combining that with a disregard for proper security protocols. According to journalist Micah Lee, usernames and passwords belonging to Shut have been published at least four times since 2023 in logs from stealer malware. Besides pilfering login credentials, stealers could also be capturing keystrokes or screen output, and that data would be sent directly to the attacker. But Lee notes, I have no way of knowing exactly when Schutz's computer was hacked or how many times, and apparently neither do his employers, because no one has checked the dark web or possibly even checked have I been pwned. Having a hacked computer connected to any government agency or department is a serious matter. But the number of security incidents and warning signs from DOGE access is unprecedented. And if you tune in this weekend to our interview show, we have as our guest a whistleblower who, among other things, will reveal that Doge employees, at least in his case, appeared to have absolute access to agency systems with no restrictions on what they could see or do. And if that's a consistent policy of Doge, combined with the sloppiness we've seen from their employees, this could indeed represent the greatest cybersecurity threat in U.S. history. The story we'll tell this weekend has been revealed both to Congress and other journalists, so we didn't find out about it in a parking garage. But despite that, when I finished the interview, I remarked to my wife that my hands were shaking and I knew in the moment what Haldeman and Ehrlichman must have felt like when they first got the story of the Watergate burglary. We are at a pivotal point in history. Am I exaggerating? Listen in this weekend judge for yourself. The show drops at 3:00am Eastern Time on Saturday morning and that's our show. Sorry if my frustration showed in a couple of stories. It's just really difficult to keep reporting on issues that should be fixed. The key word is accountability, and while it's become fashionable to put that under the CISO or under overworked IT and security staff, it's just not fair because in all too many cases what these people say can be overruled and all too often is. Anyway, that's my opinion. As always, I'd love to hear your thoughts, agree or disagree. And if you want to get a shout out, let us know of any issues that you see in your day to day work. You could reach me at editorialechnewsday CA, you can find me on LinkedIn or if you're watching on YouTube, just drop a note under the video. I'm your host Jim Love. Thanks for listening.