Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
On January 7, at 11:10 pm in Dubai, Romy Backus received an email from education technology giant PowerSchool informing her that the school she works for was one of the victims of a data breach that company discovered on December 28. PowerSchool said hackers had accessed a cloud system that housed a wealth of private student and teacher information, including Social Security numbers, medical information, grades, and other personal data from schools all over the world.
Given that PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools—some 18,000 schools and more than 60 million students—in North America, the impact could be “massive”, as a technical worker in an affected. the school told TechCrunch. Sources from the school districts affected by the incident told TechCrunch that hackers gained access to “all” their student and teacher historical data stored in their provided PowerSchool systems.
Backus works at the American School of Dubai, where he manages the school’s PowerSchool SIS system. Schools use this system — the same system that was hacked — to manage student data, such as grades, attendance, enrollment, and even more sensitive information like Social Security numbers of students and medical records.
The morning after receiving the email from PowerSchool, Backus said she went to see her manager, activated the school’s protocols for handling data breaches, and began investigating the breach to figure out exactly what happened. that the hackers stole from their school, since PowerSchool didn’t provide it. any details regarding their school in his disclosure email.
“I started digging because I wanted to know more,” Backus told TechCrunch. “I’m just saying, okay, we’ve been affected. Perfect. Well, what was taken? When was it taken? How bad is it?”
“They weren’t ready to provide us with any concrete information that customers needed to do our own due diligence,” Backus said.
Soon after, Backus realized that other administrators at schools using PowerSchool were trying to find the same answers.
“Some of it had to do with the confusing and inconsistent communication coming from PowerSchool,” according to one of the half-dozen school workers who spoke to TechCrunch on the condition that neither they, nor their school district, be unnamed.
“To (PowerSchool’s) credit, they actually notified their customers very quickly about this, especially when you look at the tech industry as a whole, but their communication lacked any actionable information and was misleading at worst, in the better confused, “. the person said.
Contact us
Do you have more information about the PowerSchool breach? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
In the first hours after PowerSchool’s notification, schools were scrambling to understand the extent of the breach, or even if it had been breached. The e-mail listservs of PowerSchool customers, where they routinely share information with each other, “exploded,” according to Adam Larsen, the assistant superintendent for Community Unit School District 220 in Oregon, Illinois. , he told TechCrunch.
The community soon realized they were on their own. “We need our friends to act quickly because they can’t really trust PowerSchool information right now,” Larsen said.
“There’s been a lot of panic and not reading what’s already been shared, and then asking the same questions over and over again,” Backus said.
Thanks to her skills and knowledge of the system, Backus said she was able to quickly figure out what data was compromised at her school, and began comparing notes with other workers from other affected schools. When he realized there was a pattern to the breach, and suspecting it might be the same for others, Backus decided to put together a how-to guide with details such as the specific IP address the hackers used to violate the schools, and the steps. to take to investigate the incident and determine if a system has been breached, with which specific data have been stolen.
At 4:36 pm Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Backus said he sent a shared Google Doc on WhatsApp in group chats with other PowerSchool administrators based in Europe and the Middle East, who often share information and resources to help each other. Later that day, after talking to more people and refining the document, Backus said he published it the PowerSchool User Groupan unofficial support forum for PowerSchool users that has over 5,000 members.
Since then, the document it has been updated regularly and is growing to nearly 2,000 wordseffectively going viral in the PowerSchool community. As of Friday, the document has been viewed more than 2,500 times, according to Backus, who created a short Bit.ly link that allows him to see how many people have clicked on the link. Many people have publicly shared the full web address of the document on Reddit and other closed groups, so it is likely that many more have seen the document. At the time of writing, there were about 30 viewers on the document.
The same day Backus shared his paper, Larsen published it an open source toolsetas well as a how-to videowith the goal of helping others.
Backus’ paper and Larsen’s tools are an example of how the community of workers in schools that have been hacked – and those that have not been hacked, but have still been notified by PowerSchool – have come together to support others. School workers had to remember to help others and respond to the breach in a crowdsourced way fueled by solidarity and necessity because of the slow and incomplete response from PowerSchool, according to the half dozen workers at affected schools who they participated in the community. effort and talked about his experiences with TechCrunch.
Many other school workers supported each other in many Reddit threads. Some of them have been published on the K-12 system administrators subredditwhere users have to be verified and verified to be able to post.
Doug Levin, the co-founder and national director of a nonprofit that helps schools with cybersecurity, the K12 Security Information eXchange (K12 SIX), which published its own FAQ about the PowerSchool hack, he told TechCrunch that this kind of open collaboration is common in the community, but “the PowerSchool incident is of such a large scope that it’s more obvious.”
“The sector itself is quite large and diverse — and we generally haven’t established the information-sharing infrastructure that exists in other sectors for cybersecurity incidents,” Levin said.
Levin stressed the fact that the education sector must rely on open collaboration through more informal, sometimes public channels, often because schools are generally understaffed in terms of IT workers, and lack specialized expertise in cybersecurity .
Another school employee told TechCrunch that “for many of us, we don’t have the funding for the full cybersecurity resources we need to respond to incidents and we have to join.”
When reached for comment, PowerSchool spokeswoman Beth Keebler told TechCrunch: “Our PowerSchool customers are part of a strong security community that is dedicated to sharing information and helping others. We are grateful for the patience of our customers and we sincerely thank those who have jumped in to help their partners by sharing the information.We will continue to do the same.
Additional reporting by Carly Page.
