PowerSchool, a leading provider of cloud-based education technology solutions, notified its customers of a significant data breach on January 7, 2023. The breach, discovered on December 28, 2022, compromised the private information of students and teachers worldwide. Hackers accessed a cloud system that stored sensitive data, including Social Security numbers, medical records, grades, and personal details. This incident has notably affected PowerSchool's extensive network, which serves 18,000 schools and over 60 million students globally.
Romy Backus, a concerned school worker, received an email from PowerSchool on January 7, 2023, informing her that her institution was among those impacted. In response to the breach and the ensuing confusion, Backus shared a Google Doc with other PowerSchool administrators. This document aimed to help them comprehend the breach and formulate appropriate responses. The collaborative effort quickly spread through WhatsApp group chats and expanded to nearly 2,000 words, eventually garnering over 2,500 views.
Adam Larsen, an assistant superintendent, further contributed by releasing an open-source set of tools and a how-to video. His resources were designed to assist others in managing the breach's repercussions efficiently. Larsen emphasized the urgency of collective action in light of the difficulties faced by PowerSchool's communication strategy.
“We need our friends to act quickly because they can’t really trust PowerSchool’s information right now,” said Adam Larsen.
The education sector often relies on open collaboration and informal channels due to understaffing and a lack of specialist cybersecurity expertise. This reliance became crucial in the wake of the breach as school workers sought clarity and guidance amid the chaos.
“Some of it had to do with the confusing and inconsistent communication that came from PowerSchool,” remarked one of the half-dozen school workers involved in addressing the crisis.
PowerSchool's spokesperson, Beth Keebler, acknowledged the community's resilience and dedication to mutual support during this challenging period.
“Our PowerSchool customers are part of a strong security community that is dedicated to sharing information and helping each other. We are grateful for our customers’ patience and sincerely thank those who jumped in to help their peers by sharing information,” stated Beth Keebler.
Despite PowerSchool's prompt notification of the breach, many users expressed dissatisfaction with the quality of information provided.
“To [PowerSchool]’s credit, they actually alerted their customers very quickly about it, especially when you look at the tech industry as a whole, but their communication lacked any actionable information and was misleading at worst, downright confusing at best,” observed another school worker.
The breach has had a "massive" impact on schools globally. As one tech worker described it, the scale of the incident is unprecedented in its reach and complexity. Doug Levin, an expert in cybersecurity for educational institutions, highlighted the challenges faced by the sector.
“The PowerSchool incident is of such a large scope that it is more evident,” explained Doug Levin. He further commented on the sector's infrastructure: “The sector itself is quite large and diverse — and, in general, we have not yet established the information sharing infrastructure that exists in other sectors for cybersecurity incidents.”
Amidst the chaos, Romy Backus noted the repetitive nature of queries from affected parties as panic ensued.
“There was a lot of panic and not reading what has been shared already, and then asking the same questions over and over again,” she recounted.
However, this crisis has also reaffirmed the PowerSchool community's commitment to collaboration.
“We will continue to do the same,” asserted Beth Keebler, emphasizing ongoing efforts to support affected schools.
A school worker succinctly captured the communal spirit driving this response:
"We have to band together."
Leave a Reply