On January 7, at 11:10 a.m. in Dubai, Romy Backus received an email from education technology giant PowerSchool informing her that the school she worked for was one of the victims of a data breach discovered by the company on December 28. PowerSchool says hackers. have accessed cloud systems containing personal student and teacher information, including Social Security numbers, medical information, grades, and other personal data from schools around the world. Because PowerSchool bills itself as the largest provider of cloud-based educational software for K-12 schools — about 18,000 schools and more than 60 million students — in North America, the impact could be “huge,” as one tech worker said. the school told TechCrunch. Sources at the school district affected by the incident told TechCrunch that hackers accessed “all” of student and teacher history data stored in PowerSchool-provided systems. Backus works at the American School of Dubai, where he manages the school’s PowerSchool SIS system. Schools use this system — the same system that was hacked — to manage student data, such as grades, attendance, enrollment, as well as more sensitive information such as students’ Social Security numbers and medical records. The day after receiving the email from PowerSchool, Backus said he met with his manager, triggered the school’s protocol for handling data breaches, and began investigating the breach to find out exactly what the hackers stole from his school, because PowerSchool did not provide it. any details related to their school in the disclosure email. “I started digging because I wanted to know more,” Backus told TechCrunch. “Just tell me, okay, we’ve been affected. Great. Well, what was taken? When was it taken? How bad?” “They weren’t ready to provide the concrete information that customers needed to work,” Backus said. Soon, Backus realized that other administrators at PowerSchool were trying to find the same answers. “Some of it had to do with confusing and inconsistent communication that came from PowerSchool,” said one of a half-dozen school workers who spoke to TechCrunch on condition of anonymity, or the school district. “To [PowerSchool]”To their credit, they actually alerted their customers quickly about this, especially if you look at the technology industry as a whole, but the communication lacked actionable information and was misleading at worst, confusing at best,” the person said. Contact Us Do you have more information about the PowerSchool breach? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop. In the early hours after the PowerSchool news, schools were scrambling to find out the extent of the breach, or even if they had been breached at all. Email listservs of PowerSchool subscribers, who usually share information with each other, are “exploding,” as Adam Larsen, assistant superintendent for Community Unit School District 220 in Oregon, Illinois, put it to TechCrunch. The community quickly realized that they were alone. “We need friends to act quickly because we can’t trust PowerSchool’s information right now,” Larsen said. “There’s a lot of panic and not reading what’s been shown, then asking the same questions over and over again,” Backus said. Thanks to his skills and knowledge of the system, Backus said he was able to identify any compromised data at his school, and began comparing notes with other workers from other affected schools. When he realized that there was a pattern to the breach, and suspected it might be similar to others, Backus decided to create a detailed guide, such as the specific IP addresses the hackers used to breach the school, and the steps. to take to investigate the incident and determine whether the system has been breached, along with whether certain data was stolen. At 4:36 p.m. Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Backus said he sent a Google Doc he shared on WhatsApp in a group chat with other PowerSchool administrators based in Europe and the Middle East, who often share. information and resources to help each other. Later that day, after talking to more people and sifting through the document, Backus said he posted it on the PowerSchool User Group, an unofficial support forum for PowerSchool users that has more than 5,000 members. Since then, the document has been updated regularly and has grown to nearly 2,000 words, effectively going viral in the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a Bit.ly shortlink that allowed him to see how many people clicked on the link. Many people have shared the document’s full web address on Reddit and other closed groups, so more people have seen the document. At the time of writing, there are about 30 viewers of the document. On the same day Backus shared his document, Larsen published an open source tool, as well as a how-to video, with the goal of helping others. Backus’ document and Larsen’s tools are examples of how communities of workers in hacked schools — and those that aren’t actually hacked but are still notified by PowerSchool — come together to support each other. School workers must help each other and respond to the violation in many ways supported by solidarity and necessity due to the slow and incomplete response of PowerSchool, according to the half dozen workers in the affected schools who participated in the community. work and talk about your experience with TechCrunch. Several other school workers supported each other in several Reddit threads. Some are published on the K-12 system administrator subreddit, where users must be verified and authenticated in order to post. Doug Levin, co-founder and national director of the nonprofit that helps schools with cybersecurity, K12 Security Information eXchange (K12 SIX), which publishes its own FAQ about the PowerSchool hack, told TechCrunch that this open collaboration is common. community, but “the PowerSchool incident is of a larger scope that is clearer.” “The sector itself is quite large and diverse — and, for the most part, we haven’t established the information-sharing infrastructure that other sectors have for cybersecurity incidents,” Levin said. Levin emphasized the fact that the education sector must rely on open collaboration through more informal channels, sometimes public channels because schools are generally short of IT workers, and lack cybersecurity-specific expertise. Another school employee told TechCrunch that “for many of us, we don’t have the funding for the full cybersecurity resources we need to respond to incidents and we have to join.” When reached for comment, PowerSchool spokeswoman Beth Keebler told TechCrunch: “Our PowerSchool customers are part of a strong security community dedicated to sharing information and helping each other. We thank our customers for their patience and sincerely thank those who join in helping friends by sharing information We will continue to do the same Additional report by Carly Page.
