On January 7, at 11:10pm in Dubai, Romy Bakos received an email from education technology giant PowerSchool informing her that the school she works for was one of the victims of a data breach the company discovered on December 28. PowerSchool said the hackers gained access to a cloud system containing a wide range of private information for students and teachers, including Social Security numbers, medical information, grades and other personal data from schools around the world.
Given that PowerSchool bills itself as the largest provider of cloud-based education software to K-12 schools — about 18,000 schools and more than 60 million students — in North America, the impact could be “enormous,” as one tech insider put it. In one of the affected schools. The school told TechCrunch. Sources in the school districts affected by the incident told TechCrunch that the hackers gained access to “all” of the historical data of students and teachers stored in their systems provided by PowerSchool.
Backus works at the American School of Dubai, where she manages the school’s PowerSchool SIS system. Schools use this system — the same one that was hacked — to manage student data, such as grades, attendance and enrollment, as well as more sensitive information such as students’ Social Security numbers and medical records.
The next morning after receiving the email from PowerSchool, Backus said she went to see her principal, activated the school’s protocols for handling data breaches, and began investigating the breach to understand exactly what the hackers had stolen from her school, since PowerSchool had not provided any details regarding her school. In the disclosure email.
“I started digging because I wanted to learn more,” Backus told TechCrunch. “Just tell me we were affected. Great. Well, what was taken? When was it taken? How bad was it?”
“They were not willing to provide us with any of the concrete information that clients needed in order to do our due diligence,” Backus said.
Soon after, Backus realized that other administrators at schools using PowerSchool were trying to find the same answers.
“Some had to do with the confusing and inconsistent communications that came from PowerSchool,” according to one of six school workers who spoke with TechCrunch on the condition that their names or the name of their school district not be used.
“to [PowerSchool]“To our credit,” this person said, “they actually alerted their customers pretty quickly about this, especially when you look at the tech industry as a whole, but their communications lacked any actionable information and were misleading at worst, and downright confusing at best.” “.
Contact us
Do you have more information about the PowerSchool hack? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, via Telegram and Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
In the first hours after PowerSchool was notified, schools were scrambling to find out the extent of the breach, or if they had even been breached at all. The email lists of PowerSchool customers, where they typically share information with each other, have “exploded,” Adam Larsen, assistant superintendent of the Community Education Unit for District 220 in Oregon, Illinois, told TechCrunch.
The community soon realized they were on their own. “We need our friends to act quickly because they cannot trust PowerSchool information right now,” Larsen said.
“There was a lot of panicking and not reading what was actually shared, and then asking the same questions over and over again,” Backus said.
Thanks to her skills and knowledge of the system, Backus said she was quickly able to figure out what data had been compromised at her school, and began comparing notes with other workers from other affected schools. When she realized there was a pattern to the hack, and suspected it might be the same for others, Backus decided to put together a how-to guide that included details, such as the specific IP address the hackers used to hack schools, steps to investigate the incident and determine if the system had been compromised, as well as… The specific data that was stolen.
At 4:36pm Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Backus said she sent a shared Google Doc on WhatsApp in group chats with other PowerSchool administrators based in Europe and across the Middle East, who often share information and resources to help each other. Later that day, after speaking with more people and refining the document, Backus said she posted it on the site PowerSchool User Groupan unofficial support forum for PowerSchool users with over 5,000 members.
Since then the document It has been updated regularly and its word count has increased to approximately 2,000 wordsis actively spreading within the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a short link on Bit.ly that allowed her to see how many people clicked on the link. Many people have publicly shared the document’s full web address on Reddit and other closed groups, so it’s likely that more people have seen the document. At the time of writing, there were about 30 viewers on the doc.
On the same day Backus shared her document, Larsen posted An open source set of toolsbesides Instructional videoWith the aim of helping others.
The Backus document and Larsen’s tools are an example of how the community of workers at hacked schools — and those who weren’t actually hacked but were notified by PowerSchool — are rallying to support each other. School workers have had to resort to helping each other and respond to the breach in a collective way fueled by solidarity and necessity due to the slow and incomplete response from PowerSchool, according to six workers at the affected schools who participated in the community. effort and talked about their experiences with TechCrunch.
Many school staff supported each other in numerous Reddit Topics. Some of them have been posted on Subreddit for K-12 systems administratorsUsers must be vetted and verified to be able to post.
Doug Levin, co-founder and national director of a nonprofit that helps schools with cybersecurity, K12 Security Information eXchange (K12 SIX), published Its FAQ About the PowerSchool hack, he told TechCrunch that this type of open collaboration is common in the community, but “the PowerSchool incident is so widespread that it has become more visible.”
“The sector itself is very large and diverse — and in general, we have not yet created the information-sharing infrastructure that exists in other sectors for cybersecurity incidents,” Levin said.
Levin stressed the fact that the education sector must rely on open collaboration through informal, and sometimes public, channels because schools are generally understaffed in terms of IT workers and lack specialized cybersecurity expertise.
“For many of us, we don’t have the funding for the full cybersecurity resources we need to respond to incidents and we have to band together,” another school worker told TechCrunch.
When contacted, PowerSchool spokesperson Beth Keibler told TechCrunch: “Our PowerSchool customers are part of a strong security community dedicated to sharing information and helping each other. We are grateful for our customers’ patience and deeply thank those who have taken the initiative to help their peers by sharing information. We will continue to do so. Doing the same thing.”
Additional reporting by Carly Page.