Cyber Incident Victim: Brightly Software
Date:
Apr 2023
Location:
United States of America
Summary
Brightly Software, a Siemens subsidiary, suffered a security incident where an unauthorized actor accessed the database of its SchoolDude application. The breach resulted in the theft of customer account information, including names, email addresses, passwords, phone numbers, and school district names. The company responded by resetting all user passwords and notifying law enforcement. The incident impacted nearly three million customers of the cloud-based educational maintenance platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 20, 2023, an unauthorized actor gained access to the systems of Brightly Software, a U.S. tech company and Siemens subsidiary. The specific intrusion vector and initial point of compromise were not publicly disclosed by the company. The target of this breach was the user database for SchoolDude, a cloud-based platform operated by Brightly. SchoolDude is an application used by educational institutions for placing and tracking maintenance work orders. The platform is utilized by over 7,000 colleges, universities, and K-12 school districts, some of which are as large as 600,000 students. Brightly’s broader suite of SaaS solutions is used by more than 12,000 organizations globally, with a significant presence in the United States, Canada, the United Kingdom, and Australia; however, this incident was specifically confined to the SchoolDude application.
The threat actors successfully exfiltrated data from the SchoolDude user database. The stolen customer account information included names, email addresses, account passwords, phone numbers where such data had been provided, and the names of the associated school districts. The company did not specify the technical method by which the database was accessed or whether the data was encrypted at rest. The period of unauthorized access lasted for eight days, from the initial infiltration on April 20 until the incident was discovered by Brightly on April 28, 2023. Upon discovery, Brightly Software initiated its response protocols. The company reported the breach to relevant law enforcement authorities and engaged third-party security experts to assist with investigating the attack and understanding its full scope.
A primary containment action taken by Brightly was to reset the passwords for all SchoolDude users. This action was intended to invalidate the stolen credentials and prevent the unauthorized actor from using them to gain access to user accounts. All users were required to set a new password through the "Forgot Login Name or Password?" feature on the login.schooldude.com portal. In official notifications sent to affected customers, Brightly explicitly warned that because passwords were affected, there was a risk of credential stuffing attacks if users had reused their SchoolDude password on other online accounts. The company recommended that users promptly change their passwords on any other accounts where the same password was in use, emphasizing the importance of using strong and unique passwords for each online account.
The scale of the incident was significant. According to a data breach notification filed with the Office of the Maine Attorney General, the security breach affected a total of 2,964,292 individuals. These individuals were customers and users of the SchoolDude platform. The exposure of personal information, particularly hashed or plaintext passwords alongside email addresses and names, created a substantial risk for those affected. The compromised credentials could be used for targeted phishing campaigns, identity theft, or attempts to access other services where users may have employed the same login details. The inclusion of school district names further increased the potential for highly targeted and convincing social engineering attacks against educational institution staff.
Brightly’s public communication regarding the incident was limited to the details contained within the customer notification letters. A company spokesperson, when contacted, did not provide any information beyond what was already shared with affected users. The company’s response focused on the immediate steps of password resets, law enforcement engagement, and the initiation of a forensic investigation with external experts. There was no public disclosure regarding whether additional security measures, such as enhanced monitoring or system hardening, were implemented following the breach. The incident highlighted the risks associated with centralized platforms storing large volumes of user credentials and personal data for the education sector, a particularly sensitive community given its often limited cybersecurity resources. The compromise of SchoolDude disrupted a critical operational tool for thousands of educational institutions, forcing a mass credential reset and potentially undermining trust in the platform's security. The full technical details of the attack and the identity of the threat actors responsible were not revealed publicly.