I have worked for a few school districts and the security has always been very poor. Nobody really hardened Windows too much, leaving the attack surface wide open. In grade 8 I discovered blank admin creds. In grade 12 trivially pwned our grade system with url enumeration. I disclosed these responsibly. The local community college had numerical birthdays for student AND FACULTY passwords and published the full class rosters on Moodle for any student with basic OSINT skills to have some fun, although I think this policy was changed after they got owned last year. I tried to tell them. Schools either need to go full Chromebook, or get a SOC, or we need to start really investing in Linux-based school infra. Or Windows needs to make group policy easier maybe. I found something called Univention Corporate Server, a German debian-based offering which seems fair, but I can't speak for it in practice.. One of the problems is School vendor software is typically beyond bad. Very, very expensive with ANCIENT libraries. Payroll uses super old programs because they comply with obscure and complicated state tax requirements for schools, that they probably paid 40k for. I'm just ranting at this point... <i>Sigh</i> I just got hired to work at a college again and would love some thoughts this, news like this always triggers me. I'm not sure what I'll be walking into just yet. Lately I see districts moving responsibility onto cloud vendors.