On January 7, at 11:10 pm in Dubai, Romy Backus received an email from education technology giant PowerSchool, informing her that the school where she works was one of the victims of a data breach the company disclosed on December 28 . PowerSchool said the hackers had access to a cloud system that housed a trove of private student and teacher information, including social security numbers, medical information, grades and other personal data from schools. around the world.
Given that PowerSchool bills itself as the largest provider of cloud-based educational software for K-12 schools — about 18,000 schools and more than 60 million students — in North America, the impact could be “ massive,” as a tech worker in an affected. the school told TechCrunch. Sources at the school districts affected by the incident told TechCrunch that the hackers had access to “all” of their historical student and teacher data stored on their systems provided by PowerSchool.
Backus works at the American School of Dubai, where he manages the school’s PowerSchool SIS system. Schools use this system — the same system that was hacked — to manage student data such as grades, attendance, enrollment, and also more sensitive information such as students’ social security numbers and medical records.
The morning after receiving the email from PowerSchool, Backus said she went to see her manager, activated the school’s protocols for handling data breaches and began investigating the breach to figure out exactly what the hackers stole from her school. as PowerSchool did not provide every detail about her school in her disclosure email.
“I started digging because I wanted to know more,” Backus told TechCrunch. “Just telling me that, okay, we’re touched. Big. Well, what’s up? When was it taken? How bad is it?”
“They weren’t ready to give us any of the concrete information that clients needed to do our due diligence,” Backus said.
Soon after, Backus realized that other administrators at schools using PowerSchool were trying to find the same answers.
“Some of it had to do with confusing and inconsistent communication coming from PowerSchool,” according to one of a half-dozen school employees who spoke to TechCrunch on condition that neither they nor their school district be named.
“To (PowerSchool’s) credit, they actually warned their customers about this very quickly, especially when you look at the tech industry as a whole, but their communication lacked any actionable information and was misleading at worst, downright confusing.” at best.” said the person.
Contact us
Do you have more information about the PowerSchool breach? From a broken device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You can also contact TechCrunch through SecureDrop.
In the hours after PowerSchool’s announcement, schools were scrambling to understand the extent of the breach, or even if they had been breached at all. PowerSchool customers’ email lists, where they typically share information with each other, “exploded,” as Adam Larsen, assistant superintendent for Community School District 220 in Oregon, Illinois, told TechCrunch.
The community quickly realized they were alone. “We need our friends to act fast because they can’t really trust PowerSchool information right now,” Larsen said.
“There was a lot of panic and not reading what’s already been shared, and then asking the same questions over and over again,” Backus said.
Thanks to her skills and knowledge of the system, Backus said she was able to quickly figure out what data had been compromised at her school and began comparing notes with other employees from other affected schools. When she realized there was a pattern to the breach, and suspecting it might be the same for others, Backus decided to put together a how-to guide with details, such as the specific IP addresses the hackers used to breach the schools. and steps. to investigate the incident and determine whether a system was breached, along with what specific data was stolen.
At 4:36 p.m. Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Backus said she sent a shared Google Doc on WhatsApp to group chats with other PowerSchool-based administrators. in Europe and throughout the Middle East, who often share information and resources to help each other. Later that day, after talking to more people and refining the document, Backus said he posted it to the PowerSchool User Group, an informal support forum for PowerSchool users that has more than 5,000 members.
Since then, the document has been updated regularly and has grown to nearly 2,000 words, effectively going viral within the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a short Bit.ly link that allows her to see how many people clicked on the link. Several people publicly shared the document’s full web address on Reddit and other closed groups, so it’s likely that many others have seen the document. At the time of writing, the document had about 30 viewers.
On the same day that Backus shared her paper, Larsen released a set of open source tools, as well as a how-to video, with the goal of helping others.
Backus’ paper and Larsen’s tools are an example of how the community of workers at schools that were hacked — and those that weren’t actually hacked but were still notified by PowerSchool — came together to support each other. School employees have had to help each other and respond to the breach in a crowd-sourced way fueled by solidarity and need because of the slow and incomplete response from PowerSchool, according to half a dozen workers at the schools. affected who participated in the community. effort and talked about their experiences with TechCrunch.
Several other school employees supported each other in several Reddit threads. Some of these were posted on the K-12 Systems Administrators subreddit, where users must be verified and verified to be able to post.
Doug Levin, the co-founder and national director of a nonprofit that helps schools with cybersecurity, the K12 Security Information EXchange (K12 SIX), which published its own FAQ about the PowerSchool hack, told TechCrunch that this kind of open collaboration is common in the community, but “the PowerSchool incident is of such a large scope that it is more evident.”
“The sector itself is quite large and diverse — and, in general, we haven’t yet created the information-sharing infrastructure that exists in other sectors for cybersecurity incidents,” Levin said.
Levin highlighted the fact that the education sector needs to rely on open collaboration through more informal, sometimes public channels, often because schools are generally understaffed in terms of IT staff and lack specialist security expertise. cyber.
Another school employee told TechCrunch that “for so many of us, we don’t have the funding for the full cybersecurity resources we need to respond to incidents, and we need to come together.”
When reached for comment, PowerSchool spokesperson Beth Keebler told TechCrunch: “Our PowerSchool customers are part of a strong security community that is committed to sharing information and helping each other. We are grateful for the patience of our customers and sincerely thank those who stepped in to help their peers by sharing information. We will continue to do the same.”
Additional reporting by Carly Page.
