Power School (formally owned by Pearson) suffered massive data breach in December after a hacker group compromised a contractor account with full access to their customer support toolset allowing them full administrative access to any and every instance of Power School on-prem or hosted in the cloud. Power School is the leader in school information systems, it is used all across the US and Canada.
Despite having CrowedStrike monitoring and protecting their internal systems, Power School wasn’t aware of their breach until the attackers provided them with proof and a ransom.
Power School utilized CyberSteward, a corporation which bills itself as “Trusted Advisors in Threat Actor Engagement, Negotiations, and Cyber Resolutions”, meaning they negotiate with hackers and facilitate the transaction of the ransom. A neat little business model if I’ve ever seen one.
For years now districts have been making progress on complying with cyber security insurance companies to enforce 2FA on teachers and staff, with much push back. This feat is done in districts all across the country on shoe string IT budgets.
Meanwhile, Power School Inc., an approximately $3bn corporation, left their entire customer support staff without MFA. These support accounts had broad access to school system’s data. This data could be accessed at any time, with zero consent from the client, for an unlimited duration.
Power School says, “Moving forward Power School will no longer have time-unlimited access. They will need to request access each time. Maintenance Access will not be turned by indefinitely. It will turn off automatically in 1-30 days and need new action to turn it back on later.”
They also say they have now enforced MFA to log into the VPN where PowerSource (their support portal) is now accessed. Eventually MFA will be required for PowerSource support staff, too.
Too little to late. Thankfully these attackers were only interested in extracting a ransom from Power School. With the level of access these attackers had, they easily could have wiped the data in these systems. Power School has parent contact information, emergency contact information, schedule information, grades, discipline reports, 504 information, lunch balance information, everything a district needs to operate stored in them. In many cases a district would be hard pressed to function without the system up and reliable. A systematic wipe of this data across thousands and thousands of districts in the US and Canada would result in massive amounts of chaos that easily would cripple communities, if not large swaths of the country.
Its not unheard of for a district to be closed because their systems are offline. While this would not take down local systems it would mean that critical scheduling and contact information as well as grading information would be inaccessible. This idea might be a bit of a stretch if I’m bing honest but the level of chaos it would cause would be fairly substantial and unpredictable.
What is clear is that Power School has been incredibly negligent in this regard. Some districts are reporting that SSNs they stored in Power School were leaked. Both currently enrolled and previously enrolled students. I believe it to be very rare for a district to be storing SSNs of students n this way, but it is a default demographic field for students and staff. I’ve been told that even if you had your remote support access turned off on your on-prem instance, it was effectively a placebo, and the attackers were able to access your system regardless.
In a country where teachers can be individually liable for not using state approved online services, which then suffer a data breach, Power School will get off without even a slap on the wrist. They negotiated with the hacker, paid the ransom, via a convenient and legal intermediary, as any good corporation should. Nothing to see here folks. Just good business as usual.
Powerschool is also such a dogshit platform. My school used it until about 5 years ago, and the whole service looks and runs like it hasn’t been updated since 1995. Totally doesn’t surprise me that they weren’t enforcing any modern security best practices.
They just did a huge UI pass on the platform, but it’s truly just lipstick on a pig.
missed opportunity for a lunch debt jubilee.
Oh I know!
How on earth is their data storage Ed 2 compliant when they’re storing unencrypted SSNs? Wtf
They have had that SSN field for a very, very long time, if I recall. May have even been in the initial release when Apple was the one who was making and selling Power School. Power School has been around for like 20+ years. In fact, you can still find some parts of Power School that still have the old glass bubble design that Apple was doing for their iMacs in the early aughts.
We could speculate all day, but I’m convinced that all these “compliance” standards are bull shit smoke and mirrors. States across the US have similar student data privacy rules in place, many of which require software to “pledge” that they do not do anything with your students’ PII. Over the course of 2020 and beyond, because of lock-downs and remote schooling, and thus student’s exposure to more online software, states have begun cracking down on what software can and cannot be used in districts. Often, these laws require a software vendor to sign an agreement that they will not collect, distribute, or store student PII. It’s in the companies best interest to say they won’t do that, but continue to do it anyway, since no one can scrutinize their codebase to see whether they’re really complying or not.
Google, famously caught collecting data on students, specifically data-mining student email messages, says they do not use our data to train their large language models, but I think that’s bullshit. There is no way to verify that this is true, and even if it wasn’t true, they would simply say it was a “bug” or “glitch” and not the “intended” outcome. Which is precisely what Power School is saying about their customer support team having full unconsenting access to every instance both on-premise and in the cloud. It’s clear to me that this was simply a move to ensure tasks we’re being completed efficiently and “on time”.
It’s also not uncommon for software vendors to just whole cloth make up a sticker or seal that indicates their software is “fully secure” or what have you. Ashley Madison is a prime example of a site that had all kinds of graphics stating their site was “100%” secure. Even though, those graphics were made by their design team, and nothing was secure at all. I don’t think the lesson Silicon Valley learns about getting caught with a fake “Official Nintendo Seal of Quality” is that they need to actually put in the work to secure their software. I think the lesson they learn is how to not get caught.
How can anyone know if a site is Ed 2 compliant if there isn’t a group doing compliancy checks? From the NYSED website:
Q: Is there a way for vendors to get approved by NYSED?
A: The New York State Education Department does not certify whether any product or service offered by third party contractors is compliant with state and/or federal laws and does not maintain a list of approved vendors. School districts are responsible for ensuring that online and digital tools they use as part of continuity of learning comply with all applicable laws and regulations, including FERPA, COPPA, IDEA, Education Law § 2-d, and Part 121 of the Commissioner of Education’s Regulations. If the school district determines that no personally identifiable information (PII), as defined by Education Law §2-d, will be provided to your company when your product is being used, the requirements of Education Law §2-d generally will not apply. If it is determined that your company will receive PII, you must execute a contract with the educational agency (school district) that complies with the requirements of Education Law §2-d.
This is true in my state as well. We are at the mercy of the vendor’s word. There is no way any district, even the largest district in the country, is going to gain the required access and have the necessary skill sets to truly verify these services and pieces of software comply with the law. The corporation signs the pledge, changes nothing, then scapegoats a contractor account when something goes wrong. It’s never an intentioned skirting of the law, it’s always some unintentional oops.
Oh shit my coworkers were talking about this today, didn’t realize it was a massive thing
The scope isn’t fully known but the potential scope is everything. They scripted the extraction so it was very efficient. It only took about 30s to pull our data according to our logs. The reports are in the ballpark of sub 1tb of just text. Millions of records.
a contractor account with full access to their customer support toolset allowing them full administrative access to any and every instance of Power School on-prem or hosted in the cloud.
I’m sorry, what now!? Where to even begin on how much of a clusterfuck of madness that is?
That’s always the way it is isn’t it? Some convenient contractor account has god mode on the network and the attackers were able to find it and leverage it.
The reality I think is that all the support accounts had this access to make their jobs easier at the expense of security. I wouldn’t doubt the whole support team is made up of contractors.
More likely they did some spear fishing, caught someone on LinkedIn listing that they were a Power School customer support specialist in their profile, offered them a sweet new gig and all they had to do was do a little technical interview with the team, and during that interview they just used the software that they make you install for the remote interview to snatch the passwords out of the persons PC. They probably used their work computer to do the interviews, who can say.
Oh I have no doubt that Power School (and many other similar vendors) hands out these contractor accounts, I mean for the schools themselves to willingly hand over keys like that. At the very least, a vendor support account shouldn’t have or need access to confidential data to support the service/product. I would raise a stink about it, but then again, I’m blessed to still be internal IT staff at my employment. This product/service is undoubtedly sold as a means to completely replace staff like me. There’s no security issues if there are no competent internal IT staffers left to point out the obvious holes! FAFO.
I mean for the schools themselves to willingly hand over keys like that.
Yeah, the thing about that is if you are cloud hosted, you cannot turn off remote support access, and any time you interact with a tech, they would ask for your consent before remotely accessing your instance. There is no “vendor support account” to manage or disable on our end, they can just access it using some internal account. If you were hosted on-premise you could turn off remote support access, except, doing that actually didn’t do anything at all and simply left that remote access connection open. So there was nothing willing about it.
The way Power School tells it, there was nothing to prevent this from happening on the clients’ end. Some users said they had geolocked access to US-based IPs, and that they were fine, but others reported doing the same and were not. The attackers were coming from a Ukrainian IP address but also must have been using other locations as well.
This product/service is undoubtedly sold as a means to completely replace staff like me.
Power School effectively replaces the on-paper process of operating a school. It functions as a schedule builder, attendance tracker, grade book, disciplinary log, medical database, contact database, lunch transaction platform and a lot more. Our department in the district I work in is actually growing, and if anything, leveraging everything PowerSchool has to offer requires a lot more technical staff than if you were just doing things on paper.
These holes were completely invisible since the software is closed source. The product has a functional monopoly on the market, since migrating off the platform would be a massive undertaking that would take months, maybe even years, for some districts to do correctly and carefully.
Power School has districts over a barrel, really.
Back in my day, a student figured out that the teachers’ passwords were just their initials twice. So they were able to log in and change everybody’s grades lol
We had a kid this year running his own help desk for students to request information from him about how to bypass our web filters, built with google forms. He had a neatly organized series of documentation and instructions he would share out. We only found out because In his quest to get full access to the internet he gave something access to his account that was sending 10s of thousands of emails a day and eventually Google locked their account.
All he wanted to do was coding stuff, and something was blocked. Everyone in the department was impressed. Now we’re working with him to build some actual coding activities for kids to do.
that’s actually so cool wtf
Yeah this kid seems cool. And this is middle school.
i meant yall too, encouraging him to develop his skill in this area instead of just throwing the book at him is almost unbelievable for me
Oh, yeah, were pretty cool too! Lol I was literally this kid in high school.
The kid like that in my highschool built a model railgun powered by repurposed disposable camera capacitors and then started tweaking and dropped out :/
when I was in high school, the intertron was still new (56k dialup was “nice”). I was in an AP class for comp sci where we learned a teaching code language to help us learn how object oriented code could be organized. it controlled a theoretical robot that didn’t exist.
the school library staff, a bunch of ancient relics, insisted no one in this class of 6 dorks be allowed to use the student computers in the library during free time because we were all, obviously, “hackers”. all of us had to have our names and photos on file with the library so they could keep us away from the computers.
kudos for not being like the adults when I was a kid.
Man I was that kid those adults harassed. Then I ended up doing the job that I regularly tormented. Now though, things are pretty turn key and devices are basically disposal. We still hold kids accountable for physical damage but we are pretty sympathetic to the tech savvy kids.
negotiate with hackers and facilitate the transaction of the ransom
Where have I seen this before? Really activates the almonds… 🤔 🤔 🤔🤔
how big was the ransom
We might not know, but probably a fuck load given the scope of the breach.
A Reddit link was detected in your post. Here are links to the same location on alternative frontends that protect your privacy.
