On January 7, at 11:10 p.m. in Dubai, Romy Backus received an email from education technology giant PowerSchool notifying her that the school she works at was one of the victims of a data breach discovered by the company on December 28. According to PowerSchool, the hackers accessed a cloud system that contained a collection of personal student and teacher information, including social security numbers, medical information, grades and other personal data from schools all over the world.
Since PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools — about 18,000 schools and more than 60 million students — in North America, the impact could be “huge,” as a field worker of technology was affected, the school told TechCrunch. Sources at school districts affected by the incident told TechCrunch that the hackers had access to “all” of their student and teacher historical data stored on PowerSchool-provided systems.
Backus works at the American School of Dubai, where she manages the school’s PowerSchool SIS system. Schools use this system — the same system that was hacked — to manage student data such as grades, attendance, enrollment, as well as more sensitive information such as student social security numbers and medical records.
The morning after receiving the email from PowerSchool, Backus said she went to see her principal, activated the school’s protocols for handling data breaches and began investigating the breach to figure out exactly what the hackers stole from her school. , as PowerSchool did not provide every detail related to her school in his disclosure email.
“I started digging because I wanted to learn more,” Backus told TechCrunch. “You just told me that, okay, we’ve been affected. Large. So what has been taken? When was it taken? How bad is it?’
“They weren’t ready to give us any of the specific information that clients needed to do our due diligence,” Backus said.
Soon after, Backus realized that other administrators at schools using PowerSchool were trying to find the same answers.
“Some of it had to do with the confusing and inconsistent communication coming from PowerSchool,” according to one of the school’s employees who spoke to TechCrunch on the condition that neither they nor their school district be identified.
“To [PowerSchool]To his credit, they actually notified their customers very quickly about this, especially when you look at the tech industry as a whole, but their communication lacked any reliable information and was at worst misleading, at best completely confusing,” he said. the person.
Contact us
Do you have more information about the PowerSchool breach? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
In the hours after PowerSchool was notified, schools were scrambling to figure out the extent of the breach, or even if they had been breached at all. PowerSchool customers’ email lists, where they typically share information with each other, “exploded,” Adam Larsen, the assistant superintendent for Community Unit School District 220 in Oregon, Illinois, told TechCrunch.
The community quickly realized they were on their own. “We need our friends to act quickly because they can’t really trust the PowerSchool information right now,” Larsen said.
“There was a lot of panic and I wasn’t reading what’s already been shared, and then we were asking the same questions over and over again,” Backus said.
Thanks to her own skills and knowledge of the system, Backus said she was able to quickly figure out what data had been breached at her school and began comparing notes with other workers from other affected schools. Realizing there was a pattern to the breach, and suspecting it might be the same for others, Backus decided to put together a guide with details such as the specific IP address the hackers used to breach the schools and the steps to investigate incident and determine whether a system had been breached, as well as what specific data had been stolen.
At 4:36 p.m. Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Backus said she sent a shared Google Doc on WhatsApp in group chats with other PowerSchool administrators based in Europe and the Middle East, who often share information and resources to help each other. Later that day, after talking to more people and refining the document, Backus said she published it the PowerSchool user groupan unofficial support forum for PowerSchool users that has more than 5,000 members.
Since then the document it has been regularly updated and has grown to nearly 2,000 wordsit’s practically going viral within the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a short Bit.ly link that allows her to see how many people clicked on the link. Several people have publicly shared the document’s full web address on Reddit and other closed groups, so it’s likely that many more have seen the document. At the time of writing, there were about 30 viewers of the document.
That same day Backus shared her paper, which Larsen published a set of open source toolsas well as a how-to videowith the goal of helping others.
Backus’ paper and Larsen’s tools are an example of how the community of school employees who were breached—and those who weren’t actually breached but were still notified by PowerSchool—came together to support each other. Employees at the schools had to resort to helping each other and responding to the breach in a crowdsourced fashion fueled by solidarity and necessity because of the slow and lackluster response from PowerSchool, according to the half-dozen employees at the affected schools who participated in the community effort and talked about their experiences with TechCrunch.
Several other school workers supported each other in several Reddit threads. Some of them were published on the K-12 system administrators subredditwhere users must be screened and verified before they can post.
Doug Levin, the co-founder and national director of a nonprofit that helps schools with cyber security, the K12 Security Information eXchange (K12 SIX), published his own FAQ about the PowerSchool hack, he told TechCrunch that this kind of open collaboration is common in the community, but “the PowerSchool incident is so big that it’s more visible.”
“The field itself is quite large and diverse — and, in general, we haven’t yet created the information-sharing infrastructure that exists in other fields for cybersecurity incidents,” Levin said.
Levin highlighted the fact that the education sector needs to rely on open collaboration through more informal, sometimes public channels, often because schools are generally understaffed in terms of IT workers and lack specialist cybersecurity expertise.
Another school employee told TechCrunch that “for so many of us, we don’t have the funding for the full cybersecurity resources we need to respond to incidents, and we need to come together.”
When reached for comment, PowerSchool spokeswoman Beth Keebler told TechCrunch: “Our PowerSchool customers are part of a strong security community that is committed to sharing information and helping each other. We are grateful for our customers’ patience and sincerely thank those who have stuck around to help their peers by sharing information. We will continue to do the same.”
Additional reporting by Carly Page.
