Power School (formally owned by Pearson) suffered massive data breach in December after a hacker group compromised a contractor account with full access to their customer support toolset allowing them full administrative access to any and every instance of Power School on-prem or hosted in the cloud. Power School is the leader in school information systems, it is used all across the US and Canada.

Despite having CrowedStrike monitoring and protecting their internal systems, Power School wasn't aware of their breach until the attackers provided them with proof and a ransom.

Power School utilized CyberSteward, a corporation which bills itself as "Trusted Advisors in Threat Actor Engagement, Negotiations, and Cyber Resolutions", meaning they negotiate with hackers and facilitate the transaction of the ransom. A neat little business model if I've ever seen one.

For years now districts have been making progress on complying with cyber security insurance companies to enforce 2FA on teachers and staff, with much push back. This feat is done in districts all across the country on shoe string IT budgets.

Meanwhile, Power School Inc., an approximately $3bn corporation, left their entire customer support staff without MFA. These support accounts had broad access to school system's data. This data could be accessed at any time, with zero consent from the client, for an unlimited duration.

Power School says, "Moving forward Power School will no longer have time-unlimited access. They will need to request access each time. Maintenance Access will not be turned by indefinitely. It will turn off automatically in 1-30 days and need new action to turn it back on later."

They also say they have now enforced MFA to log into the VPN where PowerSource (their support portal) is now accessed. Eventually MFA will be required for PowerSource support staff, too.

Too little to late. Thankfully these attackers were only interested in extracting a ransom from Power School. With the level of access these attackers had, they easily could have wiped the data in these systems. Power School has parent contact information, emergency contact information, schedule information, grades, discipline reports, 504 information, lunch balance information, everything a district needs to operate stored in them. In many cases a district would be hard pressed to function without the system up and reliable. A systematic wipe of this data across thousands and thousands of districts in the US and Canada would result in massive amounts of chaos that easily would cripple communities, if not large swaths of the country.

Its not unheard of for a district to be closed because their systems are offline. While this would not take down local systems it would mean that critical scheduling and contact information as well as grading information would be inaccessible. This idea might be a bit of a stretch if I'm bing honest but the level of chaos it would cause would be fairly substantial and unpredictable.

What is clear is that Power School has been incredibly negligent in this regard. Some districts are reporting that SSNs they stored in Power School were leaked. Both currently enrolled and previously enrolled students. I believe it to be very rare for a district to be storing SSNs of students n this way, but it is a default demographic field for students and staff. I've been told that even if you had your remote support access turned off on your on-prem instance, it was effectively a placebo, and the attackers were able to access your system regardless.

In a country where teachers can be individually liable for not using state approved online services, which then suffer a data breach, Power School will get off without even a slap on the wrist. They negotiated with the hacker, paid the ransom, via a convenient and legal intermediary, as any good corporation should. Nothing to see here folks. Just good business as usual.