K-12 Cybersecurity Insider | 4/9/2026 edition
A biweekly newsletter providing curated cybersecurity news to the K-12 community, as a public service of K12 SIX. Sign up for the K12 SIX mailing list to have future editions delivered to your inbox.
Mark Your Calendar
4/16 - “The K12 SIX Essential Cybersecurity Protections: Cyber Defense for Every K-12 Organization” webinar
4/21 - “Beyond the Breach: Setting a New Security Standard for Vendor Partnerships” webinar (sponsored by Clever)
4/22 - K12 SIX Monthly Membership Meeting (member-only)
5/5 - “Leveraging Defender XDR & Sentinel Automations” webinar (sponsored by Microsoft)
In the News
For a sector still reeling from last year’s news about a PowerSchool student information system breach, comes a breach notification from another leading provider: Infinite Campus. While some have been quick to compare this most recent incident to PowerSchool’s December 2024 incident, it actually more closely resembles PowerSchool’s August 2025 incident, which admittedly flew under a lot of people’s radar. Both the Infinite Campus incident and the August PowerSchool incident centered on their use of a third-party application, Salesforce (which is typically used by companies in both the sales and customer support functions). Indeed, Salesforce and its customers have been the subject of sustained and targeted attacks over the last two years. The good news: data exfiltrated in these K-12 related incidents do not contain large amounts of personally identifiable information. The bad news: more to-do’s for K-12 privacy and security practitioners. In reflecting on the root cause of these incidents, one has to wonder what it will take to ensure that phishing-resistant MFA becomes the standard for ‘reasonable’ vendor cybersecurity.
The U.S. is a litigious society, so it was only a matter of time before class action lawsuits - brought about school edtech products, but not by school systems directly - to result in settlements that nonetheless affect schools. In the last week, we’ve seen two such settlements. The first settlement involves Naviance, the popular college and career planning tool, and the second involves LINQ, which is an ERP and school lunch management application. The Q.J. v. PowerSchool Holdings LLC, et al. settlement covers students who “logged into the Naviance Platform offered by Hobsons and, later PowerSchool, at least once during the period beginning on August 18, 2021, and continuing through January 23, 2026.” The Connor Law v. EMS LINQ, LLC. settlement only covers those who were previously sent written notification by LINQ that their personal information “was potentially accessed, viewed, and/or obtained as a result of the Data Security Incident which occurred between September 12, 2023, and May 13, 2024.” (Of note, the instigating LINQ incident does not appear to have been publicly disclosed prior to this settlement.) What do these settlements have in common? Settlement administrators are reaching out to covered parties directly - including students and staff - without any prior to notification to the K-12 organizations that hold the contracts with Naviance and/or LINQ. The result: tough questions to school districts about their technology vendors (and lawsuits about which they were wholly unaware). One can only hope that class members don’t get too excited about the pennies that may come their way by opting in to these settlements.
* Courtesy of “Liar Liar” (1997), featuring Jim Carrey.
A Plea for Responsible Attribution
When school systems fall victim to cyber attacks, they would do well not to make public attribution to specific threat actors, including nation states or APTs. Why? First, attribution is notoriously hard and can invite retaliation and unwanted attention, and - second - spurious claims of attribution (for instance, during a time of heightened geopolitical conflict) can make it more difficult for those on the front lines of critical infrastructure and national security to triage and prioritize their work - especially when those claims may be magnified by the media. After all, who is more likely to be behind a recent denial-of-service attack against a school system? Iranian actors lashing out against U.S. aggression or a bored student seeking to avoid taking this year’s battery of state-mandated achievement tests?
Save the Date: 2027 K12 SIX Annual Conference
K12 SIX is pleased to announce that the next edition of the premier event for K-12 cybersecurity practitioners will be held from February 17-19, 2027 in Atlanta, Georgia. Mark your calendars and stay tuned for more information on speaker submissions, registration, and sponsorship opportunities.
Members Get More
The K12 Security Information eXchange (K12 SIX) operates as the independent, non-profit information sharing and analysis center (ISAC) exclusively for the K-12 education sector. Founded in 2020, organizations eligible for membership include school districts, charter schools and charter management organizations, private/independent schools, regional education agencies, and state education agencies. K12 SIX members get more.