 |
After a PowerSchool data breach in December 2024 that compromised student and teacher information, “threat actors” have made contact with North Carolina school districts, once again requesting payment.
On Wednesday, threat actors reached out to public school employees across North Carolina claiming to have obtained the student and teacher records stolen in December, according to the Department of Public Instruction (DPI).
PowerSchool, a student information system in use by the state of North Carolina since 2013, alerted North Carolina schools in January of a cybersecurity threat. The credentials of a PowerSchool contract employee were compromised and used to download student and staff data tables.
In January, according to DPI’s website, PowerSchool said that compromised data was not shared and had been destroyed. (Read the full incident statement here.)
However, the data appears to be under threat again. It is unclear if the current threat actors are the same actors from last year’s breach, said DPI Chief Information Officer Vanessa Wrenn at a virtual press conference Wednesday evening.
“In our conversations with PowerSchool, they have indications it is the same threat actor, but they cannot verify that,” she said. “What we do know is that data is not destroyed, and it is out there.”
PowerSchool’s May 7 update says the company paid a ransom in the days after it discovered the initial December breach.
“It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action,” the website says. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”
Who’s affected
The threat actors made contact on Wednesday with DPI and 20 local education agencies (LEAs), according to Wrenn. DPI did not make the list of contacted LEAs available. The LEAs were contacted through seemingly randomly chosen public email addresses.
Emails public school and DPI employees received requested Bitcoin in exchange for the compromised data.
In the past few days, identical communications have been received in Oregon and Canada, Wrenn said. (The data originally stolen was not just from North Carolina — PowerSchool clients were impacted globally.)
The stolen data includes the information of current and former students and educators. According to the PowerSchool website, one or more of the following were stolen from victims:
- Name
- Contact information
- Date of birth
- Limited medical alert information
- Social Security Number (SSN)/Social Insurance Number (SIN)
- Other related information
Victims of the cyberattack are not limited to the districts contacted on Wednesday. At the DPI virtual press conference, state Superintendent Maurice “Mo” Green emphasized that students and educators from across the state are affected, not just the 20 school districts recently contacted.
What you can do
If you are contacted by threat actors, DPI recommends that you do not reply. Instead, reach out to your district’s technology team and the cybersecurity team at DPI.
If you or your child were potentially affected by the data breach, there are resources available. In January, PowerSchool offered identity protection and credit monitoring for free, regardless of what information about an individual was exfiltrated.
The deadline to enroll for identity protection and credit monitoring services has been extended to July 31, 2025. Enroll here. DPI said it is strongly advocating for that deadline to be pushed back even further.
Also consider a security freeze.
The response
DPI said it is working closely with law enforcement and that it has notified all public school units affected.
“Here in North Carolina we certainly take protecting educator and student data very seriously,” Green said. “We remain committed to making sure schools have the information and support that they need.”
Both DPI and PowerSchool said they have notified relevant regulators on behalf of victims of the cyberattack. DPI also said it would do legal reporting on behalf of victims, including sharing information with the North Carolina Attorney General’s Office.
Attorney General Jeff Jackson previously announced in February he was investigating PowerSchool for potential violations of the law.
At the virtual press conference, Green thanked DPI’s cybersecurity team as well as school and district staff members for their quick responses to the situation.
He was also grateful to the FBI who “are diligently investigating this matter” and to the volunteers of the NCLGISA IT Strike Team, which “is assisting DPI in confirming the validity of the data shared by the threat actors.”
What next?
DPI officials stressed that this event is ongoing. Check the DPI website and PowerSchool website for updates.
“I do want to express my regret to our students, parents, teachers, and school and district members that have been affected by this incident,” Green said. “It is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants. We are, as I mentioned earlier, working with law enforcement to try to do everything we can do to be sure that the responsible parties are held accountable for their actions.”
