¶ Intro
On this week's episode of the K-12 Tech Talk podcast, the PowerSchool hacker has been arrested and we now know who is behind the most infamous cyber attack of the year. We interview cybersecurity expert Michael Klein about the significance of this and the next steps for districts and policymakers. Thanks for listening.
Live from the NTP studios, this is the K-12 Tech Talk podcast. I am Josh, tech director here in Missouri. I've been here 11 years. Well, not on the podcast 11 years, but I've been in schools for 11 years, in IT for over 25. Our other co-host, our other partner in crime from Missouri, Chris, he's dancing tonight. Isn't that what he said, Mark? I know I haven't introduced you yet,
But he's at a dance event. I didn't catch who was dancing, though.
I thought he said he had to dance tonight.
It's possible.
He does that on occasion. Now that we've heard you, Mark, you're here. You're over on the East Coast, on the right-hand side of the country. That's right. You were a teacher for how many years?
About five years.
Okay. And you were CIO for how long?
11.
So we'll respect that.
With some stuff in between.
A sailboat operator, some school teacher.
Yep.
And now you're a consultant. What we do here is we bring you K-12 technology, news, topics, trends. Sometimes we just complain about things going on. I'm going to complain about not having internet this week. We do have some sponsors. Chris pre-recorded these because I guess he didn't want to feel left out this week. So we're going to take a break real quick for our first sponsor.
Hey, I want to talk about Eaton just for a second. You can check out the new Eaton 9PXG2 UPS. It's the latest edition in the evolution of their 9 Series UPS lineup. They have a pretty successful lineup with that. This UPS is simple to configure, it's easy to deploy, and a lot of K-12 techs are using it. So learn more at eton.com slash 9PXG2, and I'll put a link to the podcast description for that.
So yeah, we had bad storms, tornadoes again. I think Missouri's had like 36 tornadoes in the month of May already. But thankfully, we had backup internet. So we went from having five gig internet connection for our primary down to 500 meg on the, I guess, the first day finals because our school year ends tomorrow. So that was fun. I ended up blocking YouTube for all students. I didn't hear much complaining out of that, but we were still capping that pipe out.
So I ended up needing to block huddle of all things during the instructional day. And that brought us down to about 200 meg throughout the day.
So was there anything on the athletic field or in the gym? Nope. What were they watching then?
Old game tape.
Oh, that makes sense.
You got to get better, Mark. You got to look at your mistakes to get better.
Well, they can't now because you're a jerk and you blocked them.
Yes. You know, so one of our schools had a little carnival thing, celebration end of year type thing, snow cone bus, whatever. But one of the stations was a dunking tank. And I thought about making a sign that said, I blocked cool math games and going over and sitting in the dunking tank. I feel like the kids would have really liked that.
I mean, that's a brutal self-punishment, but okay.
I mean, you know, it's fun.
Would they aim at the target or just at you?
Probably me, but on the dunk tank, there's a fence in front. You know, like the old, when you would go to country, country, I don't know if you've ever been to country western bar, Mark, but these like hole in the wall country western bars, they'd have chicken wire over the stage so that you couldn't throw bottles at the band, you know, beer bottles. Like, what was the movie? Blues Brothers in that movie.
I did. Remember, I went to that country western concert in Missouri when I went to go visit you guys with my wife and it ended up horribly embarrassing for me.
Oh, that's right. Because you were yelling that you were from Boston.
No, I wasn't volunteering that information. I was trying to stay quiet. And then the singer on stage was like, hey, we're taking requests. And he points at me. And he's like, what do you want to hear? And I just drew a blank. And I was like, I don't know any country songs. And then everybody in the bar looked at me like, what do you mean you don't know any country songs? And I said, I'm sorry. I'm not from here. And then the rest of the night, they just ridiculed me.
Well, and to be fair, that wasn't a real country. They didn't have chicken wire over the stage. That was a nice.
That was the closest to a country concert I have ever been to. So don't rain on my parade. Really? It was pretty. It was pretty.
¶ PowerSchool Hacker Arrest Details
Let's hit that. So big, big story we're going to talk about. Mark, you broke the story to us. Why don't you lead this, tease it real quick, and then we'll get into the news and come back.
The power school attacker has been arrested.
Dun, dun, dun.
Never thought we would hear this, but the PowerSchool hacker turns out to be a 19-year-old college student named Matthew Lane.
Was he one of your former students?
No, but he was from Worcester, Massachusetts, so not too far from me. Matthew D. Lane, a 19-year-old student from Assumption College, was arrested and has been tried with multiple counts related to the ransomware incident for two victims. I'll see you next time. One of those victims, the first victim that he attempted to extort, he did not successfully extort them, but he tried to, was a telecom company.
That incident began back in 2022, and his extortion attempt was last spring, about a year ago now. He and a co-conspirator from Illinois, we do not know who this person is, attempted to extort the telecom company for approximately $250,000. They were unsuccessful. And then conversations between the two said, let's try to get somebody else.
And in September of this last year, excuse me, September 4th is when Matthew Lane used the employees or the subcontractors credentials to gain access to power school systems. And then as we're going to find out some more details in a little bit from our main interview, gained access to power school systems and then the rest is history.
There are a couple highlights here. 19-year-old, number one, like I have a 19, my son's 19. That would be a really bad conversation to have. Two, it was the second ransom attempt of a company by this 19-year-old. You know, telecom company being the first, PowerSchool being the second. Three, did you say how much the ransom was?
I haven't gotten to that. that's the crazy part.
Three, he got access in September.
Yeah.
Not December, as was claimed by all the PowerSchool people and the webinars and even the interview that we did. I will say there was someone that I was having conversations with when all this was happening back in December, January, that said December wasn't the original access. It happened months before. So, That person was correct. Those three things to me are shocking at this point. And we're going to get even more shocking.
Yeah, and we have some answers to some of the questions we've always wanted. So the first answer that we were able to get from the arrest documentation, as well as this plea bargain, which was released this week, the total number of impacted students and teachers was over 60 million students and 10 million teachers, which is very close to what we thought. Their student population within PowerSchool is around 70,000 or 70 million students.
So this is a pretty significant number of PowerSchool customers that were impacted by this. The second piece of information, which I never thought we were ever going to see, is the ransomware amount. Now, I'm going to clarify this before I give you the number. This is the amount that he attempted to extort from PowerSchool. It's not the amount that was paid. He attempted to extort PowerSchool for $2.5 million.
$2.8 million. Excuse me.
Well, so this is the tricky part. He was going for 30 Bitcoin. And so the value of that Bitcoin depends on, yeah, whatever the exact date. And Bitcoin's gone crazy in the last few months.
The last week, it's up crazy. Yeah.
So 30 Bitcoin, approximately $2.85 million. The full amount that he actually did receive is still unknown. We do know that he has been ordered to pay restitution of $160,000, or he will be. And that is the amount that he received. We don't know if that is the full amount. We don't know if the co-conspirator also received some money. We also don't know if there's a larger group that was involved. So we know that the dollar amount is $160,000 at a minimum that was paid for the ransom.
The amount requested was $2.85 million. And some interesting numbers in here, and this is a very large scale or large range here. They do say that the damages to power a school, or they should say victim to, was between $9.5 and $25 million. Now, that's going to include the communication costs that they had to endure, the credit monitoring, potential loss of customers and reputation.
So that's a very wide range. Yeah, yeah. But $9.5 to $25 million is the estimated cost of the damage that was caused by this incident. So Mr. Lane will be facing between five and seven years in prison, as well as an unknown amount of fee or fine.
This all comes with more questions. One, you and I talked about this before we started the show. How did he get the credentials to the contractor to gain access to Power School? That's still, from what we can tell or from what Mark can tell in his research. And let me just say, Mark has spent hours in the news center working on this. We had to add a refrigerator in there so he could eat.
Dr. Pepper in that refrigerator. Dr.
Pepper. Yep. How he got those credentials is is question number one to me. The other the other big discussion point, and I don't know that we'll find this out. How did they catch him? How did what what was his tripping point? And how the FBI and whoever else found this 19 year old?
Um was it they were watching the wallet the destination wallet that it went to they and they saw withdraw was it some other trip up you know did they find the email account that he was using i would i would really like to know that but i don't know that we'll find that out because i'm sure that's going to be one of those things that's going to be a a trick or a tool that they are going to want to use again to catch bad guys. You haven't seen anything anywhere, have you, in the news center? Yeah.
So we're going to spend some more time on this episode. We have a special guest that we're going to be interviewing in a few minutes, Michael Klein, the cybersecurity expert. He'll be joining us for in a few minutes.
It's quick to point out, or we should point out, that these are allegations. And again, he's pleading guilty, but you always get your day in court. Whatever that disclaimer is there speaking of Michael did you ask him if he's related to the fashion company you know Michael Klein did you ask him if he's related no
I didn't you know that didn't come up no.
These are the jokes folks Let's hit another advertiser real quick before we get into the news.
Hey, by the way, check out Manage Methods at managemethods.com. They can help you with your student safety and monitoring with your Google, with your Microsoft, all that stuff. Check them out at managemethods.com. They are your trusted leader in K-12 cybersecurity, student safety, and compliance. We know that everyday schools face rising threats, ransomware, phishing, all the great stuff. And Managed Methods has some stuff built in to help fight against that.
They can check out your email, your shared files, your online browsing, your classroom management. Do all of that under the Managed Methods umbrella. And hey, they're giving us a 30-day free trial. Go to managedmethods.com. Say that we sent you.
All right. Mark, you told me you weren't going to share the news stories with me because you wanted my organic reaction, which this always works out really well.
Yeah, yeah.
This always works well.
So I've got two news stories. These are how schools are handling physical threats to campus.
¶ AI Weapons Detection?
So essentially school shooters in two different approaches from two different states. The first one.
Does it have to do with see-through backpacks?
No, no.
I was talking to a district this morning. So first message in this chat room that I'm in this morning was, well, my district, my board just approved requiring see-through backpacks for all students next year in the high school.
Interesting.
Yeah. Okay. No. Continue on with this.
Well, you know what? That would go really well with this first one. So Salem City Schools in Virginia is a school district of about 4,000 students, and they are going to be piloting an AI weapons detection system that will use cameras to determine if there is a firearm, smoke, unauthorized intrusions, and it will alert a central admin staff as well as the police. Very, very interesting. This was chosen over traditional metal detectors because it has a better feeling for those involved.
You know, you don't have to have the students going through metal detectors. Sure. And they'll be installing new cameras to improve their clarity and reduce false alarms.
We are in the age of AI, right, Mark? I've heard about it. Yep. Yes. We're all there. Skynet is with us.
Mm-hmm.
However there are appropriate times and uses for AI and there are dumb uses for AI The idea that AI is going to make you 100% safe from an active shooter or bringing a gun on campus standpoint is asinine. If the gun is out and the person walks up, absolutely, it can probably see that, detect that, make the alert. Great. What happens if it's a pistol in a person's backpack and you don't have see-through backpacks like my friend's school?
Yeah i think obviously this is the the purpose is to determine when something is visible uh and uh and i i i'm more inclined to i like their approach of like we can detect smoke and fire and other kind of you know different threats to to to students and safety better than the school shooting scenario but i i understand where the the advertising comes in yes.
And i will say there has been a very large PR push here in Missouri, Southeast Missouri in particular, news stories about AI weapons detection. And again, again, Picking up an active shooter where the gun is out in the open. OK, great. It probably can do that very, very well. But I think some people are getting a false sense of security from that term of, you know, AI weapons detection. It's not it's not an x-ray machine.
Yeah, I hear what you're saying. I think the thing that for me that struck me as alarm, not alarming, but this is a very expensive solution. So the total cost was $40,000 for hardware and $47,000 annual.
Oh my gosh.
And in many parts of the country, $47,000 annually is the cost of a school resource officer, or at least a portion of a school resource officer. And I feel like investing more in humans for a problem like this has a lot other benefits and values.
So it's a decision that the school district made. I'm not going to knock that decision because I'm not in that school district, but it is one that's a very hard pill for me to swallow, seeing that amount of money put towards an AI weapons detection system when we're still trying to figure out if this stuff even works.
Well, and you can get into that similar discussion or similar talking points about AI replacing teachers. The AI is not the adult in the room creating relationships with the students. And the same thing with SROs. The AI weapons detection is not the human SRO in the building, walking the halls, having lunch with kids, creating those relationships with kids that make them comfortable enough to come to the SRO when there's an issue.
Hey, I heard this kid talking about bringing a gun to school tomorrow. SROs develop those relationships and sometimes can can address those situations before they take place before the weapon even shows up on campus. I completely agree with your statement there, Mark.
Well, then you're really going to like this next one because this next one is not at all.
Oh, I thought that was the one you, I thought that was the bad one.
No. Well, I mean, I'm not saying anything's good or bad.
I'll say they're good or bad.
This next one is, there is no AI involved. This is all human-driven solutions
¶ KILLER DRONES!!!!
to prevent active school shootings. There's a Texas startup called Campus Guardian Angel. And they're going to be installing some hardware in your school. In the event of a school shooting, an alert will be sent up and a team of drone operators will remotely pilot these drones to hunt and immobilize any sort of school shooter or threat to your campus. That's right. A Texas startup is using killer drones to combat school shootings.
Who wouldn't have made that bet that if there were to be killer drones, that they would have been developed in Texas.
I mean, absolutely. Texas is the first one that's going to do this. No offense to our listeners in Texas. We have a lot of listeners in Texas. We know you guys are pretty proud of this. I should clarify, these are not exactly killer drones. These drones achieve a speed of 30 to 50 miles an hour indoors, 100 miles an hour or more outdoors.
No, no.
They are equipped with pepper spray guns, front lances, sirens, flashbang devices, and two-way communications.
Lances? Like, they're going to ram that drone into someone at 100 miles an hour on the sidewalk.
Very possible. So the idea from the owner, this is his exact quote. The goal, he said, is to respond within five seconds of an active shooter alarm, be on the shooter in 15 seconds, and degrade or incapacitate the shooter in 60 seconds.
There's there is so much to talk about there's
A lot to talk about.
So i'm assuming they're going to have these drones like a like a base unit several base units inside the building as well as external to the building you'll
Have a box of six drones.
Okay priced
At about fifteen thousand dollars.
Okay and
Yeah that's not i haven't gotten there yet the service will cost about four dollars per student per month.
Oh my god yes
Yeah you're looking at two hundred thousand dollars for your average school district.
And texas has gigantic school districts right like they're all isd like huge districts yeah now
They're they're piloting this summer into private school and they'll be moving towards a public school in the fall.
You know this would be this This would be fun to go on a site visit and see it in action. Maybe. I want to hear that drone come.
I think I'll settle for a video. I don't want to be there.
I mean, if you're going to go as far as to outfit them with pepper spray and a lance, and what else?
We have pepper spray, lances, sirens, two-way communications, and flashbangs.
I would give up. I would give up the flashbang for just put a gun. Just, I mean, we all know what's coming next.
It is illegal in the United States to put a firearm on a drone, unfortunately.
Meh, who cares about laws?
Okay, let's put ourselves in a classroom here. You're in a classroom and you hear some alarming sounds. And then the next thing you know, you hear the whir of a drone flying by your classroom door.
A 30-mile-an-hour drone.
30-mile-an-hour, 50-mile-an-hour drone. Maybe a flashbang. Somebody's screaming from pepper spray. And the teacher's going, let's get back to the lesson here, folks. Nothing to see here.
And then you step out in the hall and someone has been impaled by the lance.
Now, I want to read to you the quote from the founder of the company that just blew my mind here of the reality of what we're in here. In Texas, we're building four rooms and four teams so we can handle four things simultaneously. So what he's saying is we have the capacity to handle four active shooters at the same time. Quote, I can't find anywhere in the data that shows me Texas has even gotten close to that.
So we're pretty confident we can protect every school in Texas with that configuration. What he's saying is he's done the research and there's never been more than four simultaneous school shootings. And so he is prepared for that. This is insanity.
I mean, have you ever watched indoor drone racing? Like we could make this could be entertaining.
Now, we know that there's one of our listeners out there going, are they going to need a Wi-Fi network for these drones? Do these drones work on wpa2 or wpa3 yep 802 11 i just switched over to 5 gigahertz are you telling me you're going to need the 2.4 gigahertz for these drones yes.
It goes further 2.4
Is right you don't want your drone crashing uh if it gets outside no because.
It ran out of five yeah yeah
I know this is a serious topic, and we're pretty tongue-in-cheek here.
Yeah, we're being lied.
This is an insane response, in my opinion. I'm sorry. This is an insane response to a threat like this.
Mark, you really should have told me to have a bourbon or two before we started. Like, this could have been... I mean, what else? Why? Let's replace police forces with this. I mean, to me, that would be a logical step. Like, why not? Where you're having a major city, let's take St. Louis, for example, that everybody says crime's horrible in St. Louis. Patrol the streets with a drone with a lance and pepper spray and flashbangs. Don't forget the flashbangs.
That's amazing. And it can go 100 miles an hour. That could get from me to St. Louis and back in less than an hour.
They've hired professional drone racers for this.
There you go. We always wondered where those people were going to end up, those drone racing people. Now we know, Texas.
Yep. So they have a team of professional drone racers, military veterans, and former law enforcement officers that will be operating a surveillance hub in Austin, Texas.
And of course, it's Austin. Austin is such a fun town. How big are these drones?
I don't know. It's a great question.
I mean, depending on what the Lance is made out of, that's going to be some weight. and flashbang. It's not going to be your normal DJI Mavic type drone, I don't think. This is going to have to be a beefy drone. I would like to see what the base unit looks like, too, if it has six of them in it.
I'm going to show you a video. I know that this is not necessarily a video for a podcast, but just listen to the sound for a second.
A Texas-based company is using drones to keep students and police safer. Campus Guardian Angel, based out of Austin, has designed a drone system intended to stop in-progress school shootings. That's a demo at a Dallas elementary A man was posing as a threat. Seconds later, you can see the drones swarm in. They can guide law enforcement, deploy pepper spray and flash, flash bangs and even dive at the target. The drones stay hidden until activated by staff or AI threat detection.
You really need to watch the video at least through the point where they show drones breaking through the windows of classrooms. Well, I'm serious. You have to watch this video. Yeah, I'm sign me up. I I'll be an angel investor.
This is 2025.
Wow. Okay. Let's hit our last sponsor before we get into the interview.
Hey, finally, two sponsors. We got Fortinet, fortinetpodcast at fortinet.com. Check them out for all your Forti needs. I just got a FortiGate at my school district along with Forti Tokens and the Forti Analyzer. It's all good stuff. Email fortinetpodcast at fortinet.com. And I want to give a shout out to Prey. We've been hanging out with Prey for several weeks. They can help you with your assets, with your good inventory of things and all the security that gets packed in with it.
You can check out PreyProject.com, and they're giving a 15% off discount for any first-year customers that come from the podcast that come from K12 Tech Pro. So check out PreyProject.com.
¶ Interview with Michael Klein
Okay. Mark, go ahead. Tell us about this interview with Michael.
So we were very blessed to have Michael Klein. Michael was the senior advisor for cybersecurity at the Department of Education and was very instrumental in the early days of the power school breach. In fact, I think if you think about like the White House movies, he's the guy running down the hallway with a folder like, I got an emergency. I believe that's what Michael was doing.
Don't quote me on that one, though. or maybe he he was probably just running down with a diet coke uh but he also is now uh moving uh as, he is now working for the he's now working for the institute for security and tech as the senior director for preparedness and response very excited to have michael on board to talk about the significance of the capture of the power school guy yeah.
Thanks thanks for coming on michael uh we appreciate your time
Okay. I am joined by Michael Klein. Michael Klein is a good friend of mine. I have known him first in his initial role as a senior advisor for cybersecurity at the U.S. Department of Education, now as a senior director for preparedness and response at the Institute for Security and Technology.
And over the last few months, Michael has been very instrumental in keeping all the different agencies and groups, nonprofits and school district support teams, all informed about what's going on with PowerSchool and what to do next. Given the major news this week, it makes perfect sense that we've got Michael joining us. Michael, how are you?
I'm great. Thanks so much, Mark. It's wonderful to be here. Yeah, I'm excited to dive into this with you. It's the first time I'm out of government and can talk about some of this stuff in some more detail.
So a person from Massachusetts who's not me and not you because you're also from Massachusetts. Somebody has been arrested. We didn't know this guy was under our noses the entire time. We've had a lot of news articles about it. And we've you and I have both read the both the indictment as well as the plea deal. And there's a lot of interesting pieces of information that that answered quite a lot of questions. but there's still a lot of unknown questions out there.
What can you tell me are some of the major takeaways from the news this week?
Absolutely. So maybe I can take a step back and tell us kind of how we got here and then take us into the big takeaways from this week. What I should probably say right off the bat is nothing I'm sharing here is non-public information. So from my time at the Department of Education, I did a lot of work with the White House and with the FBI and with the intelligence community. Nothing I'm sharing here is stuff that is in any way privileged or classified or anything. This is all open information.
So to start, I think one of the big things that we learned from this indictment is that It confirms that the incident started not in December, but the incident started in September. Right. And so I think my big takeaway was there were roughly one hundred and six days between the day that this 19 year old from Massachusetts gained initial access to power school systems and the day when that data was exfiltrated in mass in December.
And so I think a few big things for us there. So, one, let's start with the threat actor, right? I think predominantly what we've seen is that most of the ransomware and most of the data extortion is being done by criminal ransomware groups based outside the United States, mostly in Russia or Russian speaking countries. And so the fact that this incident was done by a college student in Massachusetts that the FBI can actually put handcuffs on is a very different type of issue.
It looks more like some of the other kinds of threats we've seen more recently, groups that you might have heard of, like Scattered Spider, which are kind of English-speaking young, mostly men, who are running these kind of ransomware or extortion groups that are based in the U.S. And are getting access through oftentimes customer support portals because they're able to speak English and get access that way. This one was actually easier than that.
The fact that this person, as we saw in the indictment, was able to just with a username and password that was valid for a contractor's account, log in is one, a huge issue for us, right? I've been a school district IT director who used PowerSchool. I know you are a school district IT director. The fact that someone could log into a support portal that has access to everything with just a username and password is terrifying. And it's a really huge concern, right? So that's one.
I think a second piece there is that when they logged in, it looks like on that day in September, they accessed one school district's data at this point. We hope PowerSchool and other organizations like this would be able to see someone has logged in from a different address or another place, right? Like, even though they have the valid credentials, we should be able to figure out what's going on here, right? Right.
And so in that hundred and six day period, there were tons of opportunities if there had been, let's say, endpoint detection response on that machine or had there been multi-factor authentication forcing a login for this to have been mitigated. Obviously, any district's data going out the door would be bad, but one district is way better than 4,000 districts, right?
So I think, like, in terms of the mitigation of harm, that's the biggest thing for me in this story, right, is that we had from September to December for this to stop had anyone known this was happening, right?
And we don't know, based on the information that's been made available, what activity was happening between September and December. It sounds like what very well could have happened is he compromised an account, kind of did a little bit of a proof of concept. I know I can get data and kind of slept on it for a few months or maybe did a little bit more recon.
But we don't know what happened in between those few months because, as we can definitely see from the timeline and from even just the community, all the activity happened over the winter break around December 26th, 27th, 28th.
Yep. And so I think that those kind of two pieces there, like one, who is the threat actor, not who we often expect. And two, how much time there was between the actual beginning of the incident and when the massive data exfiltration happened are two big things that we learned from this.
I think taking a step back to, like, what does this mean for us as IT directors in school districts and as policy professionals and in working with our leadership at the district and state level, I think part of the challenge so many people have faced with this is – Our families are going to assume in lots of ways, understandably, that this was our fault as IT directors, right? Because it's a system that we run in our school district. When, in fact, in this case, that's not the case, right?
There was nothing that school districts could have done to stop this from happening because this was a breach of PowerSchool system with access controls completely handled by PowerSchool, right? Right.
And so I think from a kind of messaging perspective about this specific incident, there's a big, I think, focus for us on helping our leadership in our district, our school boards and our superintendents understand that we have to, in order to make our district function, depend on trusted providers. Right. And we have to assume a certain amount of trust in those providers based on what they tell us they do in terms of their practices and their security. Right.
And it's not like power school is a fly by night group that had just shown up for a day. Right. This is the largest student information system in the country. There are roughly three that have almost the entire market share in our country. And I think it makes us have to wonder now, what do we have to do to ensure that we are getting secure technology in our districts and that we can trust them?
Right. Because not only does this undermine the trust that our families have in these systems, it means that families are less likely to trust us with their students' data and the interesting and exciting things we want to do with AI or other kinds of things that are going to require access to data. Right. And so I think on that front, you know, there are a lot of things we could do on the front end in terms of how do we build this into contracts? How do we do this in our initial vetting?
And then on the back end, also, I think the lawsuits that are coming now are an interesting way to understand if we do build in strong contracts. Right. When this happens, can we sue for breach of contract? Not just because we lost the data, but because you didn't do the thing you said you were going to do.
Right because i think the thing that's really hard in a lot of data breaches and we've all experienced this right because like there was aquifax there were everyone's had their data online you almost get nothing at the end of the story right like if they give you anything it's identity monitoring and maybe a couple of dollars right because it's hard to prove that this specific data breach led to this specific harm right right but by attacking it from the
contract angle i think that's an interesting different approach that we're seeing now i've
I've struggled with this exact question. And what do we do from here? And we talked with PowerSchool themselves and we asked them this exact question. What should we do? What should we be asking of our vendors? And the thing I struggle with is like, there are some industry standards out there. Sock 2, type 2 certification is like kind of the gold standard. PowerSchool obtained that certification. Many, many other ed tech companies have obtained that certification and it wasn't enough. So,
I think we're kind of also feeling powerless. Like, yes, this wasn't our fault. Yet at the same time, I don't know what I would do differently. And I also don't know if I'm evaluating a company, if there is something for me to be able to say, yes or no, this isn't a safe company to deal with.
Yeah.
The other thing, too, which I think is just amazing. I don't know, maybe amazing is not the right word on this one, but PowerSchool was bought in the middle of this. So October, November was the big announcement that Bain Capital had purchased PowerSchool for something like $5 billion. And unbeknownst to all of us, including Bain Capital, there was a sleeper in their systems at the time of this purchase.
And so if Bain Capital is buying a company, I'm sure they've done some sort of risk analysis And they missed this as well. So I do feel a little bit more powerless that a 19-year-old could ripple through this gigantic company and take, we also now know, 60 million students and 10 million teachers' records and wondering, where do we go from here? That's the ultimate question I don't think I'll ever have answered.
Yeah. So I think, you know, I'm very lucky to be at a place now where I'm dealing with both kind of what we refer to as left of boom and right of boom, right? So when I think about preparedness, right, what can we do before incidents occur? And then response, what do we do after? And so maybe I can talk about those two pieces here. And I think a few thoughts. One, I'll give you like
What would I do today? And then zoom back out to like, what do I think a proper federal role might look like in other organizations kind of fitting into the puzzle? So I think on the preparedness front, I know that there are some really thoughtful states doing work now about how to ensure that, like in this instance, it was not an employee directly, but instead a contractor. Right.
And so whereas PowerSchool may have had a procedure for ensuring that all employees who had access to student data were required to use hard token MFA, they likely did not. And it sounds like did not have that for contractors. Right. And also because it was a contractor, there was no endpoint detection and response on the device.
And so I think one of the first things I'd want to know from any cloud service that we're going to be using is, do you require and enforce multi-factor authentication, preferably a YubiKey, a hard token, for any employee or contractor or subcontractor or sub-sub-subcontractor or however many levels of contractors you have to use multi-factor if they have access to student, teacher, or family data? Right? Like that should be like table stakes. That should not even be a discussion, right?
Because if that had been in place, that would have solved this problem, right? At least the beginning of this problem, it would have made it harder. Then I think there's another piece around endpoint detection and response on every machine, right? To ensure that, you know, if data goes missing, like the fact that 60 million students data and 10 million teachers data went out the door, but they only found out when they were contacted by the extorter to get the money is unacceptable, right?
There is no way you should not have data loss prevention in place to let you know that that much data has left your system. And so I think those are two small pieces on the upfront part of this. And then the more systemic part up front, I think, is really investing ourselves as IT directors, as states in organizations like A4L and their student data privacy consortium. Right. Because that is the vehicle by which we will be able to as a group do this,
because, as you know, we have 14000 school districts. Most of them are very small. We have maybe one IT director and one tech, if that many in most districts. And so the idea that you're going to be able to. Get all of your major vendors to do something without a whole lot of other people doing it too is challenging. And so that's where that consortium piece really does matter.
And once you have that in contract language, when there is a breach like this, you should be able to hold them accountable. So hopefully that causes the companies to factor that risk in because they need to really make sure that they're proving out what they said they'll do. So that's where I do think like the SOC 2 type 2 is great. That should be table
stakes. Great. Awesome. Love that. But these other pieces of like, prove to me that you are doing these basic things on all of your systems in a way that we can validate. Right. I think on the front end, that's one piece of the puzzle. Then on the response side, I'll say, you know, when I was in government, this happened, was announced right at the beginning of January when I was still at the Department of Education.
Within a few hours, I was on the phone with the FBI, with the White house and with others to make sure they knew what was going on. And then was briefing this in the situation room later that week. Right. And then I met with our government coordinating council, which included you and all of our stakeholders. Right. We had coast in there. We had CETA. We have our superintendents, our school boards, everybody's there. Right.
Saying, hey, what are you hearing? Right. And then everyone was like, this is a huge issue. We're running into this. Like we need to convene all the states. And so we did. And then we had a call like a week and a half, maybe, after the initial event was announced, where we had 41 states and Guam all in the room, right? And we were able to convene them and talk about how is this impacting you?
And we were able to hear from North Carolina, which has a statewide implementation, which looks much different than, you know, states that might have only a few districts and doesn't even know who's being impacted by this, right?
And so I think it's really being able to have the combination of like, upfront preparedness, and then at the top level, the ability to respond and pull together all of the assets of kind of federal and state power to go and address the issue and make sure everybody knows what's going on in a clear way that they can then mitigate, um, Unfortunately, in this case, there's very little mitigation to do. It's basically like your data is gone and you have no control over it.
Right. But in other cases, you know, had this been a disruptive attack. Right. We could have 4000 school districts shut down in a day. Right. And so that is a different kind of problem that we would be dealing with here. You know, so I think it does help us to have practice pulling people together and responding to these things. Um but i know that's not going to be a satisfactory answer in terms of like making sure that we've solved all the problems you know
Well speaking of solving all problems i'm going to ask you a question that i know you're not going to want to answer which is do you think that now that this person has been arrested um and they do mention that there's a co-conspirator as well so we assume that we know at least one maybe two of the folks that are involved, do you think that most of the harm has been mitigated by arresting this person or do you think that the victims of this situation, which are the families and students, um,
still need to be, you know, monitoring their credit, being very active and alert, uh, for, for remnants of this issue?
Yeah, that's a good question. So I, I should say up front, I don't know the answer to that question, but now I will wildly hazard some, some guesses. Um, so I think, um, from reading the indictment, uh, or reading the charging documents, it sounds like there was at least one co-conspirator I'm imagining. So if I have to like think my way into the shoes of the people who are going to prosecute this case, right? I imagine they got this person to plea, right?
And that they know who this other person is in Illinois and they're not telling us who they are because they're about to charge them. Right. Um, and we in part know that, right? Because in the charging documents, it refers to the contents of signal chats, which are end-to-end encrypted, which means you have one of the ends of those chats. So it's either the person who pled out or the other person, right?
If it had said unindicted co-conspirator, then you might assume that the other person was an informant and had informed on the person who's pled out. I would imagine that they got the signal messages from the person who pled, from this Matthew Lane, and that they are probably going to be charging this other individual. In Illinois. And so I think we'll probably find out a lot more information. So I think that's one piece of the puzzle. So I do think there's some harm that has been mitigated.
The other part of this though, is at least with respect to the first piece of the indictment, which is not about power school. It's about a telecom company. It sounded as though they did have some rogue members of their group take the data. Right. And that's part of the reason why the group refused to pay them was like, multiple people have this data and we don't know that it's going to get deleted. Right. And so like, why should we trust you and pay that demand? Right.
And I think we are potentially looking at the same situation with PowerSchool. I have no knowledge of it, but there's a decent chance that either, you know, these two people have copies of it and or sent it or sold it elsewhere. And so I think there is a need to be vigilant about kind of checking to make sure that the data doesn't end up online and having your credit checked and things like that, there's not honestly anything actively people can do to prevent it from being dumped online.
It's really just the responsive piece of knowing if it does, that you have things in place to kind of make sure that the harm is mitigated in the best way possible.
This is, I mean, it's such a fascinating case. I never expected this thing to end this quickly, first off, and have it to be a 19-year-old college kid. It just reaffirms the like kid in a basement with a hoodie on and a dark, you know, a dark computer room hacking into people's systems.
Yeah. Yeah. And I think there's something else here, which I think, you know, for our IT directors, you know, we all know the kids in our district who would do this. Right. And so there's the desire to see, like, you know, can we bring them over to the light side versus having them go to the dark side? Right. Because I think that there are these impulses we all have to break into systems and do stuff.
Right. Like, you know, especially as tech nerds. And so I think that there's also possibly a way to think about this into the future of like, you know, how do we find these kids early and then try to get them onto the right path so that we can help divert them from doing things like this? Right. Because, you know, the fact that this was a 19 year old American kid who just needed to find credentials online means that, like, this could be literally
anyone could be your brother, could be your cousin, could be whatever. Yeah.
Well, I mean, in the plea deal, we also have reference to him having to pay back approximately $160,000. There's a lesson right there for your students that, you know, your salary of $160,000 or your ransom payment for $160,000 is nothing compared to what you would have made if you had used your skills for good in the cyber sector industry.
Yeah. I think the other thing to note here is like... If you do this in the U.S., you are going to get caught. Like, I think that this is like a great moment for FBI Boston. I know the folks who are on the case. They did a really good job of this. I had spoken with them like they are doing good work here. This is what you want to see. Right. You want to see. I mean, ideally, you want to see this be prevented in the first place.
But if that can't happen, what you want to see is cases with handcuffs going on people who have done harm to others and trying to make sure that Americans don't do this to other Americans. Right. Like this is not something that should be OK. Right. And so this is not the kind of thing that we want to condone or allow to happen.
And so I think, you know, that is why the vast majority of these are done by people in other countries, because most Americans whose brains are fully formed because they're, you know, adults know that if you do this kind of thing, you're probably going to get caught.
Well it's also great the last couple of weeks we have seen the issue escalating because the extortion attempt started going out to school districts so it's great to see the trajectory this thing starting to go down yep i'm feeling a little bit better uh thank you so much for joining us uh this has been a fascinating fascinating case over the last couple months and and thank you very much for your commentary on it.
Absolutely thanks mark
The views and opinions expressed on the k12 tech talk podcast are the personal opinions of josh chris and mark and do not represent the views or opinions of our sponsors or other organizations that we're affiliated with the material information presented here is for general information and entertainment purposes only thanks for listening and we'll see you next week.