Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
On January 7, at 11:10 p.m. in Dubai, Romy Backus received an email from education technology giant PowerSchool informing her that the school she worked for was one of the victims of a data breach discovered by the company on December 28. PowerSchool accessed a cloud system that the hackers said contained personal data of students and teachers. Including Social Security numbers, medical information, grades and other personal information from schools all over the world.
Given that PowerSchool touts itself as the largest provider of cloud-based education software for K-12 schools in North America — nearly 18,000 schools and more than 60 million students — the impact could be “massive,” according to one tech worker affected. The school informed TechCrunch about it. Sources in school districts affected by the incident told TechCrunch about it hackers accessed the historical data of “all” students and teachers Stored in systems provided by PowerSchool.
Backus works at the American School of Dubai, where he manages the school’s PowerSchool SIS system. Schools use this system — a hacked system — to manage student data like grades, attendance, enrollment, as well as more sensitive data like student Social Security numbers and medical records.
The morning after receiving the email from PowerSchool, Backus said he went to his manager, invoked the school’s protocols for handling data breaches and began investigating the breach to understand exactly what the hackers stole from his school, because PowerSchool didn’t provide it. any details about his school in the disclosure email.
“I started digging because I wanted to know more,” Backus told TechCrunch. “I’m just saying to me, OK, we’re impressed. Excellent. So what’s up? When was it bought? How bad is it?’
“They weren’t willing to provide us with any specific information that customers needed to do our due diligence,” Backus said.
Backus soon realized that other administrators at schools using PowerSchool were trying to find the same answers.
“Some of that had to do with confusing and inconsistent communication from PowerSchool,” according to one of the half-dozen school employees who spoke to TechCrunch on condition that neither they nor the school district be named.
“To (PowerSchool’s) credit, they alerted their customers to this very quickly, especially when you look at the tech industry as a whole, but their communication lacked any actionable information and was misleading at worst and confusing at best.” the person said.
Contact us
Want to learn more about the PowerSchool breach? On a non-work device, you can safely contact Lorenzo Franceschi-Bicchierai at +1 917 257 1382 or via Telegram and Keybase @lorenzofb. e-mail. You can also contact TechCrunch via SecureDrop.
In the first hours after PowerSchool’s notification, schools struggled to understand the extent of the breach or whether it had been breached at all. The email lists where PowerSchool customers typically share information with each other have “exploded,” Adam Larsen, assistant principal at Community Unit School #220 in Oregon, Illinois, told TechCrunch.
The community quickly realized that they were alone. “We need our friends to act quickly because they can’t trust PowerSchool’s data right now,” Larsen said.
“There was a lot of panic and I wasn’t reading what was being shared anymore and then I was asking the same questions over and over again,” Backus said.
Because of his skills and system knowledge, Backus said he was able to quickly figure out what data was breached at his school and began comparing records with staff at other affected schools. When he realized the breach was a pattern, and suspected it might be the same for others, Backus decided to create a guide detailing the specific IP address and steps hackers use to breach schools. investigate the incident and determine what specific data was stolen as well as the system breach.
On January 8 at 16:36 Dubai time, less than 24 hours after PowerSchool notified all customers, Backus said he sent a shared Google Doc On WhatsApp in group chats with other PowerSchool administrators based in Europe and the Middle East, who often share information and resources to help each other. After talking to more people that day and refining the document, Backus said he posted it PowerSchool User GroupAn unofficial support forum for PowerSchool users with over 5,000 members.
Since then, the document updated regularly and growing to around 2000 wordsIt effectively goes viral within the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created the Bit.ly shortcut. Several people have publicly shared the document’s full web address on Reddit and other closed groups, so it’s likely that many more people have seen the document. At the time of writing, the document had about 30 followers.
Later that day, Backus shared his paper, which Larsen published open source toolkitas well as how to videowith the goal of helping others.
Backus’ paper and Larsen’s tools are an example of how the community of workers at hacked schools — and those that haven’t actually been hacked but are still notified by PowerSchool — are coming together to support each other. According to a half-dozen staff members of the affected schools who participated in the community, school staff were forced to respond to the breach in a massive act of solidarity and necessity due to PowerSchool’s slow and incomplete response. made the effort and spoke to TechCrunch about their experience.
Several other school staff supported each other in a few Reddit threads. Some of them were published A subreddit of K-12 system administratorswhere users must be verified and verified to be able to post.
Doug Levin, co-founder and national director of the K12 Security Information Exchange (K12 SIX), a nonprofit that helps schools with cybersecurity own frequently asked questions PowerSchool told TechCrunch about the hack that this kind of open collaboration is common in the community, but “the PowerSchool incident is so broad that it’s more obvious.”
“The sector itself is quite large and diverse — and in general, we haven’t yet built the infrastructure for information sharing that exists in other sectors for cybersecurity incidents,” Levin said.
Levin stressed that the education sector must rely more on open collaboration through informal, sometimes public channels, as schools are generally understaffed in terms of IT staff and lack specialist cybersecurity expertise.
Another school official told TechCrunch that “for many of us, we don’t have the funding for the full cybersecurity resources needed to respond to incidents, and we have to come together.”
Reached for comment, PowerSchool spokeswoman Beth Keebler told TechCrunch: “Our PowerSchool customers are part of a strong security community dedicated to sharing information and helping each other. We are grateful for the patience of our customers and express our sincere gratitude to those who have stepped up to help their peers by sharing information. We will continue the same work.”
Additional reporting by Carly Page.
