One week later and we still have questions about the PowerSchool breach
It has been about a week since my last post, and enough people have asked for a follow-up on the PowerSchool situation…
If you’re interested in the details on the PowerSchool breach, I recommend starting out with Andy Lombardo’s Substack and K12 Six’s FAQs. A huge shout-out also goes to Romy Backus for creating the definitive guide for reviewing your PowerSchool logs!
Additionally, I want to acknowledge PowerSchool CEO Hardeep Gulati and CISO Mishka McCowan for their prompt response last week. The level of openness regarding the incident itself, along with the relatively quick timeline for customer notification, is quite unusual. Although PowerSchool is currently facing significant backlash (and I anticipate receiving some for defending them), the level of detail already provided about this breach is praiseworthy. Undoubtedly, PowerSchool is facing pressure from lawyers, law enforcement, and investors for discretion, yet they have established a new standard for company transparency and timing. I sincerely hope this continues as the discussion progresses.
PowerSchool is likely inundated with questions from customers and still formulating an official response due to multiple lawsuits, but there are still some major themes of questions Hopefully, we’ll soon have answers to some of the biggest questions lingering in the community.
1. How did one compromised account lead to this?
Many of us were shocked to hear that a single account had access to all customer instances (including on-prem), and we still have questions about the account’s security. Mishka McCowan mentioned that the account belonged to a subcontractor of PowerSchool, which raises questions around the efficacy of their SOC 2 compliance, security protocols of their subcontractors, and/or Powerschool’s monitoring protocols. PowerSchool has achieved SOC 2 Type 2 certification, which is not as common in K-12 as other industries, so what does this say about our industry as a whole? As I post this, we’re also learning of another major breach from Scholastic that may have been the result of poor account security, so this will surely be a major discussion point moving forward.
2. How many districts were impacted by this?
I originally assumed the breach would be fewer than the 18,000 districts that currently use PowerSchool; however, it did not take long for us to learn that former customers were also impacted. Some districts were surprised to learn that a system they no longer use still contained their data, which raises a lot of questions around data privacy agreements, contractual obligations, and liability.
3. How many students were impacted?
Although it may seem similar to the previous issue, we discovered that the data extracts included all students, not just active ones. This means that districts are notifying former students and alumni about the breach. It’s difficult to estimate the total number affected, but the 800,000 figure mentioned in a class action lawsuit is likely an underestimate.
For example, South Carolina, which uses PowerSchool for its entire state, has about 800,000 active students this year. Each historical year stored in PowerSchool would add around 60,000 students, and South Carolina represents less than half a percent of PowerSchool’s customer base. Due to the numerous variables involved, it’s impossible to determine the total number of affected students, but some districts report that the number of impacted students is four to 10 times higher than the number of actively enrolled students affected by the breach.
There are some silver linings, though…
We were lucky that this attack was limited to data ex-filtration. I don’t mean to minimize the situation, but the idea of PowerSchool being offline on Monday morning is arguably worse. School districts depend on their SIS for student safety and school operations, and we would have been talking about school cancellations if PowerSchool’s availability had been impacted. Districts are already dealing with fires and blizzards right now, so the loss of a student information system at the same time would be catastrophic for some.
This has also already raised the level of urgency within the industry, with districts and ed-tech companies all talking about what we can do differently. Some ed-tech companies have shared updates on their security with customers this week, and so many district and IT leaders are reviewing internal practices. It’s unfortunate that it took an incident of this magnitude to move the needle, but that’s the hard truth.
So where do we go from here?
For now, the conversation should focus on communication between PowerSchool, districts, and families. I hope PowerSchool continues to provide as much information as possible to districts so they can support families. Parents are asking districts for more information, and we need to make sure that school districts have the information they need to respond. The more information we can give to district leaders, the more they can get back to focusing on classroom instruction!
I have lots of thoughts on next steps, but let’s try to keep the conversation focused on communication with families right now.
