North America

+1 866 442 0565

Asia

+632 886 04215

Support
Contact

A White Hat Hacker’s Insight on the Power School Data Breach on iHeart Radio

11 February 2025
Shane Hewitt with Hank the Hacker

Here’s the full transcript of our very own cybersecurity specialist, Hank “The Hacker” Fordham, featured as a guest on iHeart’s “Shane Hewitt and the Night Shift“ last January 15, 2025.

[Shane]
Welcome back to Shane Hewitt and the Night Shift on the iHeartRadio Talk Network. I’m in Ottawa. Your kids have apps for their schools.

Power school, something like that. You can see the grades. Remember what it was like taking your report card home back in the day?

Yeah, no, not anymore. It’s on an app. Quite often the parents get to see those grades before you get home there, kid.

They can get an alert on their phone just after they got in a fight with a co-worker. And they can see that you got a D minus in math. Oh, that’ll make dad happy.

That one’s going to live with you right through to counseling in your 40s when you try to deal with it later. But seriously, all of that information is online now. Schools have relied on these programs for a few years now to be able to get lunch money, take payments for your ski trip, to be able to give you your schedule, communicate with the teacher, and get those grades.

Hypothetically, what would happen if someone hacked that? Oh, look, it happened. Hank Fordham is here helping us understand what’s going on.

Hank is a white hat hacker, which means that they’re like a locksmith. They help you protect the locks of all the things. He’s been on Dr. Phil and other places, X10 Technologies, where you can find him. And “What the Hack” on Facebook, Hank, how are you?

[Hank]
I’m great. Thank you so much for having me on, Shane.

[Shane]
It’s great to see your face, bud. The Power School. Oopsie.

[Hank]
Oh, boy. This one is a big one, man. And when we look at the fact that it’s international, this was a student information system that was being used not only by school districts in Canada, but also by school districts in the U.S. Obviously, I’m based here in Canada, but we have offices based throughout the U.S., Canada, and Asia. And one of the things that I’ve noticed is just the amount of, I guess, reliance that this Power School program has in the school industry. It currently serves more than 18,000 customers in 100 different countries.

[Shane]
It’s a staggering number. So what happened? Someone broke in and took all the kids’ and parents’ info?

[Hank]
Yeah, and that’s where this one gets scary. And it’s something that, while it’s still in its early stages of reporting and discovery, it’s something that could very well have, and there’s evidence of it having gone on for much longer than we’re actually aware of. And the reason for this and the reason for the breach in the first place is because of the active trade of stolen credentials on the dark web.

And so when we look at third-party websites getting breached and malware getting installed on devices and stealing these passwords or exposing these passwords on the dark web, it’s opened up this large kind of shady industry where hackers and cybercriminals will get a hold of that information and they’ll actually use it to try and access different resources. And so what we had here is a piece of this information or a leaked password or what looks, in my research, to be a few hundred exposed or leaked passwords being used to access an application called PowerSource, which is basically a dashboard or a customer support portal that’s made by PowerSchool in order for IT administrators and teachers to manage that student information, things like names, addresses, SIN numbers, geographic information, dates of births, medical information, and the list goes on and on. So it’s quite significant, the level of data that was exposed, and in particular because it was related to students and to youth, which tends to be on the black market of very high value for fraudsters and cybercriminals in general.

[Shane]
Now, that to me gets me, I think, this is you know me well enough, Hank, to know that my brain can go to some pretty good criminality if I have to think about it. Like, what would you do with that info? And what that lands to me is if you have a kid who’s 12 or 14 and you have that, you have their birthday, their social insurance number, you have all that, you almost have a three to five, six-year run-up of criminality before they become aware and start filing taxes and having a credit bureau, right?

Like, you could really do a lot of damage to that identity by taking out credit, by doing whatever, in advance of them going to do it themselves. And we’re going to have a conversation from the fraud perspective later in the week. Someone took out two credits, tried to take out two credit cards in my name over Christmas.

Now, for me, it’s easy to mock me, right? Like, my birthday is online, my name is online. Like, it’s easy to find me.

And I have an alert on my bureau. So I got an alert email and it told me all about it. So I call and I say, hey, by the way, that’s not me.

And they’re like, okay, and then they cancel it. So we’ll dig into the fraud end of it later. But if I didn’t have that, I would never have known there would be credit cards in my name attached to my bureau right now.

If you think of these kids and their stuff getting taken, the teachers might have credit monitoring. The teachers might be going to buy a car or a house. And they’re going to find out real quick somebody’s done something.

You might not find out for years for these kids.

[Hank]
That’s right on the bullseye. And that’s exactly it. A lot of professionals, including myself in the industry, are saying that on average it’s about three years that this information or even an active compromise can take place before a client without the right protections in place can even become aware of this.

And that’s one of the reasons that we’ve started developing services like dark web monitoring and cyber threat intelligence at X10 Technologies to help clients predict these kinds of compromises or breaches before they hit the headlines. And on top of that, I think it’s important for schools and companies in general to be completing those penetration tests to make sure that information isn’t hanging, it’s not low-hanging fruit, and it’s not being targeted much more by hackers. But the scary thing is without these kinds of services or safe places put in place or implemented, you might not be aware of that information being exposed or what that information that exposed was for an average of up to three years.

[Shane]
So I just want to be really clear for everybody who’s listening. The parents who are listening have kids or a power school, like I have a power school profile because when my kids went to school, it’s possible that all got snagged, right? And so if you look at this in your district, the school district uses power school or whatever, and they’re not really saying much, Hank, this is a big deal.

And I’m going to suggest this. You don’t have to. I was looking for your affirmation that this is a big deal.

You should be calling your district asking questions to find out if you were involved. Is that a fair statement?

[Hank]
You know, I absolutely agree, and I think this is a really big deal, and it’s something that, you know, like I said earlier, it’s still kind of developing. The event is still developing, and we’re still becoming more and more aware of the different districts or the different customers that were included in that exposure. From my research alone and on our dark web database where we monitor this information, there’s 865 unique logins exposed right now related to the PowerSource dashboard login.

And so this is 865 different school districts that could be exposed. And another one of the reasons why through X10 Technologies I’ve started offering a free dark web scan that only takes about 15 minutes.

[Shane]
Wow, and that’s interesting, right? I mean, if you give access to the tech portal, just think of what you could get access to without even hacking because you basically have cut yourself a key at that point. Okay, “What the Hack” on Facebook.

You can get in touch with Hank that way. It’s a great way to go. And just give him a Google.

You’re going to find him. It’s Hank Fortham. Hank, it’s good to see you, buddy.

I appreciate you being here.

[Hank]
Oh, Matt, my pleasure. Thank you so much, Shane.

[Shank]
Hank has saved my butt more than once in these conversations so I can learn. So you should learn too. A PowerSchool hack is a big deal.

Ask questions. Shane, you’re out on the night shift.

—-

Email us to learn more about our cybersecurity solutions or to schedule a Pen Testing session with our cybersecurity specialists.

WHAT’S HAPPENING

News Archive

Data Privacy in Education
Blog
02 . 13 . 2025

Data Privacy in Education: A Call for Action 🚨

MORE
Hank "The Hacker" Fordham Takes On Cyber Scams & Reverse Hacking – On iHeart Radio!
Blog
02 . 12 . 2025

Hank “The Hacker” Fordham Takes On Cyber Scams & Reverse Hacking – On iHeart Radio!

MORE
Shane Hewitt with Hank the Hacker
Blog
02 . 11 . 2025

A White Hat Hacker’s Insight on the Power School Data Breach on iHeart Radio

MORE
X10 Technologies and SIPPIO
Blog
11 . 21 . 2024

Modernize Communication Systems: X10 Technologies and SIPPIO Relationship for Cost Savings in Alberta’s Public Sector

MORE
Hank "The Hacker" Fordham with Mike Smyth on Global News Radio
Blog
11 . 19 . 2024

Hank “The Hacker” Fordham with Mike Smyth on Global News Radio

MORE
Importance of Cybersecurity
Blog
10 . 19 . 2024

A little More Conversation with Hank Fordham

MORE
Global Cybersecurity Practices
Blog
09 . 24 . 2024

The Impact of GDPR on Global Cybersecurity Practices

MORE
AI for Cyber Defense
Blog
09 . 23 . 2024

Harnessing AI for Proactive Cyber Defense

MORE

Copyright © 2023. X10 Technologies