Power School (formally owned by Pearson) suffered massive data breach in December after a hacker group compromised a contractor account with full access to their customer support toolset allowing them full administrative access to any and every instance of Power School on-prem or hosted in the cloud. Power School is the leader in school information systems, it is used all across the US and Canada.
Despite having CrowedStrike monitoring and protecting their internal systems, Power School wasn't aware of their breach until the attackers provided them with proof and a ransom.
Power School utilized CyberSteward, a corporation which bills itself as "Trusted Advisors in Threat Actor Engagement, Negotiations, and Cyber Resolutions", meaning they negotiate with hackers and facilitate the transaction of the ransom. A neat little business model if I've ever seen one.
For years now districts have been making progress on complying with cyber security insurance companies to enforce 2FA on teachers and staff, with much push back. This feat is done in districts all across the country on shoe string IT budgets.
Meanwhile, Power School Inc., an approximately $3bn corporation, left their entire customer support staff without MFA. These support accounts had broad access to school system's data. This data could be accessed at any time, with zero consent from the client, for an unlimited duration.
Power School says, "Moving forward Power School will no longer have time-unlimited access. They will need to request access each time. Maintenance Access will not be turned by indefinitely. It will turn off automatically in 1-30 days and need new action to turn it back on later."
They also say they have now enforced MFA to log into the VPN where PowerSource (their support portal) is now accessed. Eventually MFA will be required for PowerSource support staff, too.
Too little to late. Thankfully these attackers were only interested in extracting a ransom from Power School. With the level of access these attackers had, they easily could have wiped the data in these systems. Power School has parent contact information, emergency contact information, schedule information, grades, discipline reports, 504 information, lunch balance information, everything a district needs to operate stored in them. In many cases a district would be hard pressed to function without the system up and reliable. A systematic wipe of this data across thousands and thousands of districts in the US and Canada would result in massive amounts of chaos that easily would cripple communities, if not large swaths of the country.
Its not unheard of for a district to be closed because their systems are offline. While this would not take down local systems it would mean that critical scheduling and contact information as well as grading information would be inaccessible. This idea might be a bit of a stretch if I'm bing honest but the level of chaos it would cause would be fairly substantial and unpredictable.
What is clear is that Power School has been incredibly negligent in this regard. Some districts are reporting that SSNs they stored in Power School were leaked. Both currently enrolled and previously enrolled students. I believe it to be very rare for a district to be storing SSNs of students n this way, but it is a default demographic field for students and staff. I've been told that even if you had your remote support access turned off on your on-prem instance, it was effectively a placebo, and the attackers were able to access your system regardless.
In a country where teachers can be individually liable for not using state approved online services, which then suffer a data breach, Power School will get off without even a slap on the wrist. They negotiated with the hacker, paid the ransom, via a convenient and legal intermediary, as any good corporation should. Nothing to see here folks. Just good business as usual.
How on earth is their data storage Ed 2 compliant when they’re storing unencrypted SSNs? Wtf
They have had that SSN field for a very, very long time, if I recall. May have even been in the initial release when Apple was the one who was making and selling Power School. Power School has been around for like 20+ years. In fact, you can still find some parts of Power School that still have the old glass bubble design that Apple was doing for their iMacs in the early aughts.
We could speculate all day, but I'm convinced that all these "compliance" standards are bull shit smoke and mirrors. States across the US have similar student data privacy rules in place, many of which require software to "pledge" that they do not do anything with your students' PII. Over the course of 2020 and beyond, because of lock-downs and remote schooling, and thus student's exposure to more online software, states have begun cracking down on what software can and cannot be used in districts. Often, these laws require a software vendor to sign an agreement that they will not collect, distribute, or store student PII. It's in the companies best interest to say they won't do that, but continue to do it anyway, since no one can scrutinize their codebase to see whether they're really complying or not.
Google, famously caught collecting data on students, specifically data-mining student email messages, says they do not use our data to train their large language models, but I think that's bullshit. There is no way to verify that this is true, and even if it wasn't true, they would simply say it was a "bug" or "glitch" and not the "intended" outcome. Which is precisely what Power School is saying about their customer support team having full unconsenting access to every instance both on-premise and in the cloud. It's clear to me that this was simply a move to ensure tasks we're being completed efficiently and "on time".
It's also not uncommon for software vendors to just whole cloth make up a sticker or seal that indicates their software is "fully secure" or what have you. Ashley Madison is a prime example of a site that had all kinds of graphics stating their site was "100%" secure. Even though, those graphics were made by their design team, and nothing was secure at all. I don't think the lesson Silicon Valley learns about getting caught with a fake "Official Nintendo Seal of Quality" is that they need to actually put in the work to secure their software. I think the lesson they learn is how to not get caught.
How can anyone know if a site is Ed 2 compliant if there isn't a group doing compliancy checks? From the NYSED website:
This is true in my state as well. We are at the mercy of the vendor's word. There is no way any district, even the largest district in the country, is going to gain the required access and have the necessary skill sets to truly verify these services and pieces of software comply with the law. The corporation signs the pledge, changes nothing, then scapegoats a contractor account when something goes wrong. It's never an intentioned skirting of the law, it's always some unintentional oops.