{"id":649870,"date":"2025-01-18T16:25:15","date_gmt":"2025-01-18T13:25:15","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-victims-of-powerschools-data-breach-helped-each-other-investigate-massive-hack\/"},"modified":"2025-01-18T16:25:15","modified_gmt":"2025-01-18T13:25:15","slug":"how-victims-of-powerschools-data-breach-helped-each-other-investigate-massive-hack","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-victims-of-powerschools-data-breach-helped-each-other-investigate-massive-hack\/","title":{"rendered":"#How victims of PowerSchool\u2019s data breach helped each other investigate &#8216;massive&#8217; hack"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2d69a2d9f0b\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2d69a2d9f0b\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-victims-of-powerschools-data-breach-helped-each-other-investigate-massive-hack\/#Contact_Us\" >Contact Us<\/a><\/li><\/ul><\/nav><\/div>\n<div>\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">On January 7, at 11:10 p.m. in Dubai, Romy Backus received an email from education <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> giant PowerSchool notifying her that the school she works at was one of the victims of a data breach that the company discovered on December 28. PowerSchool said hackers had accessed a cloud system that housed a trove of students\u2019 and teachers\u2019 private information, including <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Social<\/a> Security numbers, medical information, grades, and other personal data from schools all over the world.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Given that PowerSchool bills itself as the largest provider of cloud-based education software for K-12 schools \u2014 some 18,000 schools and more than 60 million students \u2014 in North America, the impact could be \u201cmassive,\u201d as one tech worker at an affected school told TechCrunch. Sources at school districts impacted by the incident told TechCrunch that hackers accessed \u201call\u201d their student and teacher historical data stored in their PowerSchool-provided systems.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Backus works at the American School of Dubai, where she manages the school\u2019s PowerSchool SIS system. Schools use this system \u2014 the same system that was hacked \u2014 to manage student data, like grades, attendance, enrollment, and also more sensitive information such as student Social Security numbers and medical records.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The next morning after getting the email from PowerSchool, Backus said she went to see her manager, triggered the school\u2019s protocols to handle data breaches, and started investigating the breach to understand exactly what the hackers stole from her school, since PowerSchool didn\u2019t provide any details related to her school <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/bloximages.newyork1.vip.townnews.com\/local3news.com\/content\/tncms\/assets\/v3\/editorial\/e\/ef\/eef9dfe0-cd42-11ef-8a0d-9b6662ee1ec6\/677da4657d7e6.pdf.pdf\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">in its disclosure email<\/a>.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cI started digging because I wanted to know more,\u201d Backus told TechCrunch. \u201cJust telling me that, okay, we\u2019ve been affected. Great. Well, what\u2019s been taken? When was it taken? How bad is it?\u201d\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cThey weren\u2019t ready to provide us with any of the concrete information that customers needed in order to do our own diligence,\u201d said Backus.<\/p>\n<p class=\"wp-block-paragraph\">Soon after, Backus realized that other administrators at schools that use PowerSchool were trying to find the same answers.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cSome of it had to do with the confusing and inconsistent communication that came from PowerSchool,\u201d according to one of the half-dozen school workers who spoke with TechCrunch on condition that neither they, nor their school district, be named.<\/p>\n<p class=\"wp-block-paragraph\">\u201cTo [PowerSchool]\u2019s credit, they actually alerted their customers very quickly about it, especially when you look at the tech industry as a whole, but their communication lacked any actionable information and was misleading at worst, downright confusing at best,\u201d the person said.<\/p>\n<div class=\"article-block block--callout block--right has-green-500-background-color\">\n<h4 class=\"block--callout__title\"><span class=\"ez-toc-section\" id=\"Contact_Us\"><\/span>Contact Us<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\t\t\tDo you have more information about the PowerSchool breach? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.\t\t<\/p><\/div>\n<p class=\"wp-block-paragraph\">In the early hours after PowerSchool\u2019s notification, schools were scrambling to figure out the extent of the breach, or even if they had been breached at all. The email listservs of PowerSchool customers, where they customarily share information with each other, \u201cexploded,\u201d as Adam Larsen, the assistant superintendent for Community Unit School District 220 in Oregon, Illinois, put it to TechCrunch.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The community quickly realized they were on their own. \u201cWe need our friends to act quickly because they can\u2019t really trust PowerSchool\u2019s information right now,\u201d said Larsen.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cThere was a lot of panic and not reading what has been shared already, and then asking the same questions over and over again,\u201d said Backus.<\/p>\n<p class=\"wp-block-paragraph\">Thanks to her own skills and knowledge of the system, Backus said she was able to quickly figure out what data was compromised at her school, and started comparing notes with other workers from other affected schools. When she realized there was a pattern to the breach, and suspecting it may be the same for others, Backus decided to put together a how-to guide with details, such as the specific IP address that the hackers used to breach schools, and steps to take to investigate the incident and determine whether a system had been breached, along with what specific data was stolen.<\/p>\n<p class=\"wp-block-paragraph\">At 4:36 p.m. Dubai time on January 8, less than 24 hours after PowerSchool notified all customers, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/docs.google.com\/document\/d\/1FCJEENhLTJGUyEpr4oLJ0jNJPP2IIZrDdRpVPeqg8-E\/edit?tab=t.0\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Backus said she sent a shared Google Doc<\/a> on Whats<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">App<\/a> in group chats with other PowerSchool administrators based in Europe and across the Middle East, who often share information and resources to help each other. Later that day, after talking to more people and refining the document, Backus said she posted it on <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/groups.io\/g\/PSUG\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">the PowerSchool User Group<\/a>, a non-official support forum for PowerSchool users that has more than 5,000 members.<\/p>\n<p class=\"wp-block-paragraph\">Since then, the document <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/bit.ly\/PSbreachaudit\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">has been updated regularly and grown to nearly 2,000 words<\/a>, effectively going viral inside the PowerSchool community. As of Friday, the document had been viewed more than 2,500 times, according to Backus, who created a Bit.ly shortlink that allows her to see how many people clicked the link. Several people publicly shared the document\u2019s full web address on Reddit and other closed groups, so it\u2019s likely many more have seen the document. At the time of writing, there were around 30 viewers on the document.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">On the same day Backus shared her document, Larsen published <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gitlab.auroraedtech.com\/psug\/cybersecurity-incident\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">an open source set of tools<\/a>, as well as <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.youtube.com\/watch?v=4iKfv0s4mFY\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">a how-to video<\/a>, with the goal of helping others.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Backus\u2019 document and Larsen\u2019s tools are an example of how the community of workers at schools that were hacked \u2014 and those that were actually not hacked but were still notified by PowerSchool \u2014 rallied to support each other. School workers have had to resort to helping each other out and responding to the breach in a crowdsourced manner fueled by solidarity and necessity because of the slow and incomplete response from PowerSchool, according to the half-dozen workers at affected schools who participated in the community effort and spoke about their experiences with TechCrunch.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Several other school workers supported each other <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/k12sysadmin\/comments\/1hw2alh\/anyone_else_impacted_by_the_powerschool_sis\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">in<\/a> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/k12sysadmin\/comments\/1hx2hhh\/what_we_know_about_the_powerschool_breach_so_far\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">several<\/a> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/k12sysadmin\/comments\/1hw1m3x\/so_powerschool_had_a_breach\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Reddit<\/a> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/k12sysadmin\/comments\/1hw1n69\/powerschool_breach\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">threads<\/a>. Some of them were published on <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/k12sysadmin\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">the K-12 systems administrators\u2019 subreddit<\/a>, where users have to be vetted and verified to be able to post.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Doug Levin, the co-founder and national director of a nonprofit that helps schools with cybersecurity, the K12 Security Information eXchange (K12 SIX), which published <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.k12six.org\/news\/powerschool-cyber-incident-faq\">its own FAQ<\/a> about the PowerSchool hack, told TechCrunch that this kind of open collaboration is common in the community, but \u201cthe PowerSchool incident is of such a large scope that it is more evident.\u201d\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cThe sector itself is quite large and diverse \u2014 and, in <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>, we have not yet established the information sharing infrastructure that exists in other sectors for cybersecurity incidents,\u201d said Levin.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Levin underscored the fact that the education sector has to rely on open collaboration through more informal, sometimes public channels often because schools are generally understaffed in terms of IT workers, and lack specialist cybersecurity expertise.<\/p>\n<p class=\"wp-block-paragraph\">Another school worker told TechCrunch that \u201cfor so many of us, we don\u2019t have the funding for the full cybersecurity resources we need to respond to incidents and we have to band together.\u201d<\/p>\n<p class=\"wp-block-paragraph\">When reached for comment, PowerSchool\u2019s spokesperson Beth Keebler told TechCrunch: \u201cOur PowerSchool customers are part of a strong security community that is dedicated to sharing information and helping each other. We are grateful for our customers\u2019 patience and sincerely thank those who jumped in to help their peers by sharing information. We will continue to do the same.\u201d<\/p>\n<p class=\"wp-block-paragraph\"><em>Additional reporting by Carly Page<\/em>.<\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techcrunch.com\/2025\/01\/18\/how-victims-of-powerschools-data-breach-helped-each-other-investigate-massive-hack\/\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On January 7, at 11:10 p.m. in Dubai, Romy Backus received an email from education technology giant PowerSchool notifying her that the school she works at was one of the victims of a data breach that the company discovered on December 28. PowerSchool said hackers had accessed a cloud system that housed a trove of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":649871,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/techcrunch.com\/wp-content\/uploads\/2024\/07\/data-breach-overview-v2.jpg?resize=1200,675","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[70375,72458,90469,70944,70513,152032,140531,153699,72287],"class_list":["post-649870","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-cybersecurity","tag-data-breach","tag-edtech","tag-hackers","tag-hacking","tag-infosec","tag-k-12","tag-powerschool","tag-security"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/649870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=649870"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/649870\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/649871"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=649870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=649870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=649870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}