K-12 Cybersecurity Insider | 8/25/2025 edition

A biweekly newsletter providing curated cybersecurity news to the K-12 community, as a public service of K12 SIX. Sign up for the K12 SIX mailing list to have future editions delivered to your inbox.

Mark Your Calendar

• 8/27 - K12 SIX Monthly Membership Meeting (member-only)

• 8/27 - National Student Privacy & Data Security Summer Webinar Series: Day 3 (US Department of Education/Privacy Technical Assistance Center)

• 9/11 - Monthly Cross-Sector Threat Briefing (member-only)

• 2/24-2/26/2026 - National K-12 Cybersecurity Leadership Conference (registration, call for speakers now open)

In the News

THREAT Detected | When SSO and MFA Aren't Enough: Hidden Credential Risk in K-12

You've done the right thing. You’ve implemented Single Sign-On (SSO) and mandated Multi-Factor Authentication (MFA) across your school district staff accounts. You're feeling confident in your security posture. But what about the dozens, or even hundreds, of other applications your staff uses every day that aren't tied to your central SSO? This is the soft underbelly of your security strategy, and it's more vulnerable than you think.

L.A. Schools Telehealth Vendor Waited 8 Months to Report Breach

“This is another example of schools outsourcing the collection and management of exceptionally sensitive data on school communities which, if abused, could affect the health and safety of the school community,” said Doug Levin, the co-founder and national director of the K12 Security Information eXchange. “We definitely would benefit from knowing more about how they were compromised and how they’re going to fix it.”

If a 14-year-old could hack them, how weak was security for 400,000 confidential student records?

A federal lawsuit filed by the parent company of Final Forms, a firm that collects and stores student information for school districts, has exposed a troubling security breach that has parents across Ohio concerned about data privacy. The company is suing a Dublin, Ohio, teenager and his parents after the boy hacked into their database and accessed hundreds of thousands of student records.

K12 SIX Announces 2025-26 Steering Committee

“As we enter the 2025-26 school year, K12 SIX’s Steering Committee will play a vital role in addressing the cybersecurity challenges facing school systems nationwide. Their leadership will chart the future direction of K12 SIX programs, ensure members’ evolving cybersecurity needs are met, and help guide the growth and resilience of the sector,” said Doug Levin, K12 SIX director. “Cybersecurity in K-12 is just too big and too underfunded for any one district to handle on its own,” said Steering Committee member Richard Thomas. “What makes K12 SIX so valuable is that it gives us a way to come together—sharing knowledge, support, and threat intelligence so we can all do a better job protecting our schools.”

Fast Facts

• 47: U.S. K-12 ransomware victims claimed by threat actors (2025 to date) (source)

• 203: Severe information technology vulnerabilities (CVSS Base Score 7.0+) disclosed in past week (source)

Members Get More

The K12 Security Information eXchange (K12 SIX) operates as the information sharing and analysis center (ISAC) exclusively for the K-12 education sector. Organizations eligible for membership include school districts, charter schools and charter management organizations, private/independent schools, regional education agencies, and state education agencies. K12 SIX members get more.