How victims of PowerSchool’s data breach helped each other investigate ‘massive’ hack

On January 7, at 11:10 pm in Dubai, Romy Backus received an email from education technology giant PowerSchool informing her that the school she works at had suffered a data breach discovered by the company on December 28. PowerSchool said the hackers accessed a cloud system that held a trove of personal information about students and teachers. including social security numbers, medical information, grades and other personal data From schools around the world.

As PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools in North America — with nearly 18,000 schools and more than 60 million students — the impact could be “huge,” a tech worker at one affected school told TechCrunch. Sources from school districts affected by the incident told TechCrunch The hackers accessed “all” their student and teacher historical data Stored in their PowerSchool-provided system.

Backus works at the American School of Dubai, where he manages the school’s PowerSchool SIS system. Schools use this system — the same system that was hacked — to manage student data, such as grades, attendance, enrollment and more sensitive information such as student Social Security numbers and medical records.

The morning after receiving the email from PowerSchool, Backus said he went to meet with his manager, triggered the school’s protocols for handling data breaches and began investigating the breach to figure out exactly what the hackers stole from his school, since PowerSchool did not provide his Any school related details In his disclosure email.

“I started digging because I wanted to know more,” Backes told TechCrunch. “Just telling me, well, we’re impressed. great Well, what has been taken? When was it taken? How bad is it?”

“They weren’t prepared to provide us with any concrete information that customers needed to do our own due diligence,” Backes said.

Soon, Backes realized that other administrators at schools using PowerSchool were trying to find the same answer.

“Some of it had to do with confusing and inconsistent communication from PowerSchool,” according to one of the half-dozen school officials who spoke to TechCrunch on condition of anonymity because they or their school district were not named.

“Per [PowerSchool]To its credit, they actually alerted their customers about it very quickly, especially when you look at the tech industry as a whole, but their communication lacked any actionable information and was misleading at worst, confusing at best,” the person said.

In the first hours after PowerSchool’s notification, schools scrambled to figure out the extent of the breach, or even whether they had been breached at all. PowerSchool customers’ email listservs, where they routinely share information with each other, “exploded,” as Adam Larsen, assistant superintendent of Community Unit School District 220 in Oregon, Illinois, put it on TechCrunch.

The community quickly realized they were on their own. “Our friends have to act fast because they can’t really trust the PowerSchool information right now,” Larsen said.

“There was a lot of panic and not reading what had already been shared, and then being asked the same questions over and over again,” Backes said.

Thanks to his own skills and knowledge of the system, Backus said he was able to quickly figure out what data had been compromised at his school and began comparing notes with other staff at other affected schools. When he realized there was a pattern to the breach and it could be similar for others, Backus decided to put together a guide with details, such as the specific IP addresses the hackers used to breach the school and steps to investigate the incident and what specific information was stolen. to determine whether a system has been breached with

On January 8 at 4:36pm Dubai time, less than 24 hours after PowerSchool notified all customers, Backus said he sent a shared Google Doc Group chat on WhatsApp with other PowerSchool administrators based in Europe and the Middle East, who often share information and resources to help each other. Later that day, after talking to more people and refining the document, Backus said he posted it. PowerSchool User GroupAn unofficial support forum for PowerSchool users with over 5,000 members.

Since then the document Updated regularly and grew to around 2,000 wordsEffectively going viral in the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a Bit.ly shortlink that allowed him to see how many people clicked on the link. Many people have publicly shared the document’s full web address on Reddit and other closed groups, so perhaps many more have seen the document. At the time of writing, the document had about 30 visitors.

Backus shared his documents on the same day, Larsen revealed An open source set of toolsas well as A how-to videoAiming to help others.

Backus’ document and Larsen’s tools are how communities of staff at schools that were hacked — and those that weren’t actually hacked but were still notified by PowerSchool — rallied to support each other. According to the half-dozen affected school staff who participated in the community, the slow and incomplete response from PowerSchool forced school staff to help each other and respond in a crowdsourced manner out of solidarity and necessity to the breach. The effort and talked about their experience with TechCrunch.

A few other school staff supported each other in quite a few Reddit thread. Some of them are published K-12 system administrators subredditWhere users need to verify and verify to be able to post.

Doug Levine, co-founder and national director of a nonprofit organization that helps schools with cybersecurity, K12 Security Information Exchange (K12 SIX), published Own FAQ Regarding the PowerSchool hack, TechCrunch told TechCrunch that this type of open collaboration is common in the community, but “the PowerSchool phenomenon is so large-scale that it’s even more obvious.”

“The sector itself is quite large and diverse — and, in general, we haven’t yet established the information sharing infrastructure that exists in other sectors for cybersecurity incidents,” Levine said.

Levine highlights the fact that the education sector has to rely on more informal, sometimes open collaboration through public channels because schools are typically understaffed in terms of IT staff and lack specialist cybersecurity expertise.

Another school worker told TechCrunch that “for many of us, we don’t have the funding for all the cybersecurity resources that we need to respond to incidents and we need to band together.”

When reached for comment, PowerSchool spokesperson Beth Kibler told TechCrunch: “Our PowerSchool customers are part of a strong security community dedicated to sharing information and helping each other. We appreciate the patience of our customers and sincerely thank them who jumped in to help their colleagues by sharing information. We will continue to do the same.”

Additional reporting by Carly Page.