How PowerSchool data breach victims are helping each other investigate 'massive' hack

At 11:10 pm on January 7 in Dubai, Romy Backus received an email from edtech giant PowerSchool informing her that the school where she worked was one of the victims of a data breach discovered by the company on December 28. one. PowerSchool said hackers accessed a cloud system that contained a large amount of private information about students and teachers, including Social Security numbers, medical information, grades and other personal data from schools around the world.

Given that PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools (about 18,000 schools and more than 60 million students) in North America, the impact could be "huge," as one technician at the affected company put it. the school told TechCrunch. Sources in the school district affected by the incident told TechCrunch that hackers accessed "all" historical student and teacher data stored in systems provided by PowerSchool.

Backus works at the American School of Dubai and manages the school's PowerSchool SIS system. The school uses this system (the same one that was hacked) to manage student data such as grades, attendance, and enrollment status, as well as more sensitive information such as student Social Security numbers and medical records.

After receiving the email from PowerSchool the next morning, Backus said she went to her manager, triggered the school's protocol for handling data breaches, and began investigating the breach to learn exactly what the hackers had stolen from her school. What, because PowerSchool did not provide any details about her school in the disclosure email.

"I started digging because I wanted to learn more," Backus told TechCrunch. "Just tell me, okay, we were affected. Great. Well, what was taken? When was it taken? How bad was it?

"They were not ready to provide us with any specific information that the client needed in order for us to conduct our own due diligence," Backus said.

Before long, Backus realized that other administrators at schools using PowerSchool were trying to find the same answer.

"Part of the problem has to do with confusing and inconsistent communication from PowerSchool," said one of six school staff members who spoke to TechCrunch, but neither they nor their district were named.

“To (PowerSchool’s) credit, they were actually quick to alert customers about this, especially when you look at the tech industry as a whole, but their communication lacked any actionable information at worst. is misleading and at best completely confusing,” the man said.

Contact us

Do you know more about the PowerSchool breach? On non-work devices, you can contact Lorenzo Franceschi-Bicchierai securely via Signal (+1 917 257 1382) or via Telegram and Keybase @lorenzofb or email. You can also contact TechCrunch through SecureDrop.

In the hours after PowerSchool sent out the notice, schools were scrambling to find out the extent of the breach or even whether it had actually been breached. Adam Larsen, assistant superintendent of community units for Oregon School District 220 in Illinois, told TechCrunch that the email listserv where PowerSchool customers typically share information with each other has "exploded."

The community soon realized they were on their own. "We need our friends to act quickly because they can't really trust PowerSchool's information right now," Larson said.

"People are panicking, not reading what's been shared, and then asking the same questions over and over again," Backus said.

Backus said that with her skills and knowledge of the system, she was able to quickly figure out what data at the school had been compromised and began exchanging notes with other staff at other affected schools. When she realized there was a pattern to the attacks and suspected others might be experiencing the same thing, Backus decided to write a how-to guide with details, such as the specific IP addresses the hackers used to attack the school and steps to investigate the incident. and determine whether the system was compromised and what specific data was stolen.

At 4:36 pm Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, Backus said she sent a shared message to a group chat on WhatsApp with other PowerSchool administrators across Europe and the Middle East. Google Docs, where they often share information and resources to help each other. Later that day, after talking to more people and refining the document, Backus said she posted it on the PowerSchool User Group, an unofficial support forum for PowerSchool users with more than 5,000 members.

Since then, the document has been regularly updated and grown to nearly 2,000 words, quickly spreading throughout the PowerSchool community. Backus said the document had been viewed more than 2,500 times as of Friday, and she created a Bit.ly short link that would allow her to see how many people clicked the link. Several people have publicly shared the document's full URL on Reddit and other closed groups, so more people may have seen it. As of this writing, the document has approximately 30 viewers.

On the same day Backus shared her documentation, Larson released a set of open source tools along with how-to videos aimed at helping others.

Backos' document and Larson's tool are an example of how communities of school staff who were hacked, as well as those who were not actually hacked but still received PowerSchool notifications, came together to support each other. Six staff members from the affected schools who participated in community events said that because PowerSchool's response was slow and incomplete, school staff had to help each other and crowdsource responses to violations, driven by solidarity and necessity. and talked about their experiences at TechCrunch.

Several other school staff members supported each other in multiple Reddit posts. Some of these were posted on the K-12 System Admins subreddit, and users had to be reviewed and verified before they could post.

Doug Levin, co-founder and national director of the K12 Security Information eXchange (K12 SIX), a nonprofit that helps schools become cyber-secure and which published FAQs about the PowerSchool hack, told TechCrunch that this openness Collaboration in the community, but "the PowerSchool incident has such a wide impact, it is even more obvious."

“The industry itself is quite large and diverse, and by and large we have not yet established the infrastructure for sharing information on cybersecurity incidents that exists in other industries,” Levine said.

Levin emphasized that the education sector must rely on more informal and sometimes public channels for open collaboration, often because schools are generally understaffed in IT staff and lack specialized cybersecurity expertise.

Another school staff member told TechCrunch, “For many of us, we don’t have enough funding to have all the cybersecurity resources we need to respond to an incident, and we have to come together.”

When reached for comment, PowerSchool spokesperson Beth Keebler told TechCrunch: "Our PowerSchool customers are part of a strong security community dedicated to sharing information and helping each other. We appreciate our customers' patience and sincerely appreciate Those who help their peers by sharing information will continue to do so.”

Additional reporting by Karlie Paige.