At 11:10pm on January 7th in Dubai, Romy Backus received an email from education technology giant Power Schools informing her that her school was the victim of a data breach that the company discovered on December 28th. Notified that it is one. According to Power School, the hackers said: They had access to a cloud system that stores large amounts of personal information on students and teachers, including social security numbers, medical information, grades, and other personal data from schools around the world.
The affected companies, given that PowerSchool bills itself as North America’s largest provider of cloud-based educational software for K-12 schools (approximately 18,000 schools and over 60 million students) One technical official said the impact could be “huge”. the school told TechCrunch. Officials from the districts affected by the incident told TechCrunch that the hackers accessed “all” historical student and teacher data stored on PowerSchool-provided systems.
Backus works at the American School of Dubai, managing the school’s PowerSchool SIS system. Schools use this system, the same system that was hacked, to manage student data such as grades, attendance, and enrollment, as well as sensitive information such as students’ social security numbers and medical records.
The morning after receiving the email from PowerSchool, Backus went to see his manager and activated the school’s protocols for handling data breaches, asking what the hackers had stolen from the school since PowerSchool had not provided any information. The company said it has launched an investigation into the breach to determine exactly what happened. Details about her school can be found in the disclosure email.
“I started looking into it because I wanted to know more,” Backus told TechCrunch. “Let’s just say, we’re affected. It’s great. Now, what was taken? When was it filmed? How bad is it?
“They weren’t ready to give us the specific information that our customers needed to do our own efforts,” Backus said.
Soon after, Backus realized that other administrators at schools using PowerSchool were also trying to find the same answer.
“Part of it had to do with confusion and inconsistent communication from PowerSchool,” said one of six school officials who spoke to TechCrunch on condition that neither they nor the district remain anonymous. .
“To[PowerSchool’s]credit, they were actually very quick to alert their customers about this, especially if you look at the technology industry as a whole, but their communications were not pragmatic. information was lacking, misleading at worst, and downright confusing at best,” the person said.
inquiry
Do you have more information about the PowerSchool breach? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email. You can also contact TechCrunch via SecureDrop.
In the early hours after Power School’s notification, schools scrambled to understand the scope of the breach, or whether there was one at all. Adam Larsen, assistant superintendent of Community Unit School District 220 in Oregon, Illinois, told TechCrunch that the email list server where PowerSchool customers have a habit of sharing information with each other “exploded.” .
The community soon found itself isolated. “We need our friends to act quickly because they don’t have much confidence in the power school information at this point,” Larsen said.
“There was a lot of panic, not reading what had already been shared, and asking the same questions over and over again,” Backus said.
Backus said that because of his skills and knowledge of systems, he was able to quickly identify what data had been compromised at his school and began comparing notes with staff at other affected schools. Ta. Noticing a pattern to the breach and thinking it might be the same for others, Backus wrote a how-to guide detailing the specific IP addresses and steps the hackers used to break into the school. I decided to put it together. This is the information needed to investigate the incident and determine whether the system was compromised and what specific data was stolen.
At 4:36 p.m. Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Mr. Backus posted a WhatsApp message in a group chat with other PowerSchool administrators based in Europe and the Middle East. I mentioned that I sent the shared Google doc above. Information and resources to help each other. Later that day, Backus said he spoke with more people, refined the document, and posted it to the PowerSchool User Group, an informal support forum for PowerSchool users with more than 5,000 members. .
Since then, this document has been updated regularly, has grown to nearly 2,000 words, and has become virtually widespread within the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a Bit.ly shortlink that allows him to see how many people clicked on the link. More people may have seen the document because several people published the document’s full web address on Reddit and other private groups. At the time of this writing, approximately 30 people had viewed this document.
On the same day Backus shared the document, Larsen published an open source tool set and how-to video aimed at helping others.
Backus’ documents and Larsen’s tools show how the school staff community that was hacked, as well as the school staff community that was not actually hacked but was notified by PowerSchool, came together to support each other. This is an example. Power Schools’ response was slow and incomplete, according to several affected school staff members who participated in the community, prompting school officials to use a crowdsourcing approach driven by solidarity and necessity to help each other respond to the breach. There was only one. I talked about my experience with TechCrunch.
Several other school officials supported each other in several Reddit threads. Some of them are published on the K-12 System Administrators subreddit and require scrutiny and verification before users can post them.
Doug Levin, co-founder and national director of K12 Security Information eXchange (K12 SIX), a nonprofit organization that supports cybersecurity in schools, has published his own FAQ about the PowerSchool hack, and says that this kind of open He told TechCrunch that collaboration is common in the world. But “the PowerSchool case is much more revealing because it’s so much bigger in scope.”
“The field itself is very large and diverse, and generally the information sharing infrastructure that exists in other fields regarding cybersecurity incidents has not yet been established,” Levin said.
Levin said that because schools generally lack IT talent and lack cybersecurity expertise, the education sector will need to rely on more informal and, in some cases, open collaboration through public channels. He emphasized the fact that there is.
“For many of us, we don’t have the funding to fund all the cybersecurity resources we need to respond to an incident, so we need to come together,” another school official told TechCrunch.
When asked for comment, PowerSchool spokesperson Beth Keebler told TechCrunch: We appreciate your patience and sincerely appreciate those who stepped up to share information and support their colleagues. We will continue to do the same. ”
Additional reporting by Carly Page.