The victims of PowerSchool’s data breach worked together to investigate the’massive hack’
On 7th January, at 11:10 pm in Dubai, Romy backus received an e-mail from the education technology company PowerSchool notifying that her school was a victim of a data leak that they discovered on 28th December. Hackers accessed the cloud system of PowerSchool, which contained a wealth of private data, including Social Security Numbers, medical information and grades from all around the world. TechCrunch reported that given the fact that PowerSchool claims to be the largest provider of K-12 education software in North America — with over 18,000 schools and 60 million students — the impact on the school could be “massive”. TechCrunch reported that sources at districts affected by the incident said hackers had accessed “all of” their historical student and teacher data stored on their PowerSchool systems. Backus manages the PowerSchool SIS at the American School of Dubai. This system, which was also hacked, is used by schools to manage sensitive data such as Social Security numbers, medical records, attendance and enrollment. Backus, who received the PowerSchool email the next day, said that she immediately went to her manager to initiate the school’s protocol for handling data breaches. She then began investigating the breach in order to determine what exactly the hackers had stolen from her school. Backus said to TechCrunch that she began digging into the matter because she wanted to learn more. Just telling me, okay, that we’ve all been affected is not enough. Great. What’s the matter? What was taken? When was it stolen? One of the half-dozen school workers who spoke with TechCrunch on condition that they not be named, said that some of it was due to the confusing and inconsistent communication that came from PowerSchool. One of the school workers who spoke to TechCrunch under the condition that they not be identified or their school district name be used, said that some of the confusion and inconsistency was due to PowerSchool’s inconsistent and confusing communication.
Have you got more information on the PowerSchool hack? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. TechCrunch can also be contacted via SecureDrop.
In those early hours following PowerSchool’s notification of the breach or breach, schools scrambled to determine the extent of it, if at all. Adam Larsen is the assistant superintendent of Community Unit School District 220-Oregon, Illinois. He told TechCrunch that email listservs, where PowerSchool users share information, had “exploded”. The community realized that they were all on their own. Larsen said that the community needed to act fast because PowerSchool information is not something they could trust.
“There was a lot of panic and not reading what has been shared already, and then asking the same questions over and over again,” said Backus.
Thanks to her own skills and knowledge of the system, Backus said she was able to quickly figure out what data was compromised at her school, and started comparing notes with other workers from other affected schools. Backus, who suspected that there may have been a similar breach in other schools, decided to create a guide to explain how to deal with the situation. She shared a Google Doc with PowerSchool administrators in Europe and the Middle East in WhatsApp group chats at 4:36 pm Dubai time, less than 24 hrs after PowerSchool had notified customers. Later that day, after talking to more people and refining the document, Backus said she posted it on the PowerSchool User Group, a non-official support forum for PowerSchool users that has more than 5,000 members.
Since then, the document has been updated regularly and grown to nearly 2,000 words, effectively going viral inside the PowerSchool community. Backus said that as of Friday the document was viewed over 2,500 times. She created a Bit.ly link to track how many people had clicked on the link. The document was shared on Reddit, and in other closed groups. It’s possible that many more people have seen it. Around 30 people were viewing the document at the time this article was written. Larsen, who also published a video and a set of open-source tools to help others, released them on the same day Backus posted her document.
Backus’ document and Larsen’s tools show how workers from schools who were hacked – and those that weren’t hacked, but were still informed by PowerSchool – rallied together to help each other. According to a half dozen workers from affected schools, school workers had to turn to each other and respond to the breach through a community effort fueled by necessity and solidarity because PowerSchool’s response was slow and incomplete.
Several school workers also supported each other on Reddit. Some were posted on the K-12 Systems Administrators’ subreddit where users must be verified and vetted before they can post. Levin said that the education sector relies on open collaboration through informal, sometimes public channels because schools are understaffed in terms of IT workers and lack specialist cybersecurity expertise.
Levin underscored the fact that the education sector has to rely on open collaboration through more informal, sometimes public channels often because schools are generally understaffed in terms of IT workers, and lack specialist cybersecurity expertise.
Another school worker told TechCrunch that “for so many of us, we don’t have the funding for the full cybersecurity resources we need to respond to incidents and we have to band together.”[PowerSchool]When reached for comment, PowerSchool’s spokesperson Beth Keebler told TechCrunch: “Our PowerSchool customers are part of a strong security community that is dedicated to sharing information and helping each other. We appreciate our customers’ patience, and we thank all those who shared information with their peers. We will continue to do the same.”
