‘Threat actor’ claims to have NC student data months after PowerSchool assured officials it was safe

Public school employees across North Carolina received threatening messages from people who said they had access to student and teacher data that was exposed when a contractor was hacked in December, state education officials said Wednesday.

The announcement comes days after the breached company — PowerSchool — told WRAL News they still had seen no evidence that the hacked data had been leaked and months after PowerSchool told WRAL that the situation was “contained” that it didn’t anticipate the data being shared or made public.   

The messages received by school employees Wednesday shared evidence that the sender has the same data that was hacked, leading state officials to believe the data is now in the hands of bad actors.

“That information was not destroyed and is out there,” Vanessa Wrenn, chief information officer at the North Carolina Department of Public Instruction, said on a call with reporters late Wednesday.

WRAL reported Sunday that PowerSchool had paid a ransom and watched the data be deleted via video.

“It is certainly unacceptable that these families and servants have had their data compromised,” state Superintendent of Public Instruction Mo Green said during the call. “It is completely unfortunate that the perpetrators are preying on students and dedicated public servants.”

PowerSchool was hired by the state in 2013 to manage student and teacher data across the state. The hack, which was disclosed in January, exposed the records of students and teachers around the world, including likely millions of North Carolina. 

“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” the company said in a statement on Wednesday. “We do not believe this is a new incident, as samples of data match the data previously stolen in December.” 

A PowerSchool spokesperson didn’t immediately provide a response to a WRAL request for more information.

Wrenn and Green said that the threatening emails — which requested cryptocurrency payments to keep the data secret — were sent to about 50 DPI staff members and 20 local education agencies. The officials didn’t specify which school systems or charter schools were included among the agencies. A spokesperson for the Wake County Public School System said that as of Wednesday afternoon, no one in the district had reported receiving a threatening email.

Educators in Oregon also began receiving emails this morning, Wrenn said, and some PowerSchool customers outside of the United States began receiving them two days ago.

Wrenn and Green advised recipients of these messages not to engage with it and to immediately report it to DPI, using a form on the state’s website. The state won’t engage with the threat actor, Green said, noting that the agency is not allowed to by law.

PowerSchool told customers that it hasn’t confirmed whether the messages sent this week are coming from the party that hacked PowerSchool in December, Wrenn said.

WRAL, citing state officials, reported Sunday that the company told customers that it paid the hacker a ransom and watched the hacker delete the data via video. PowerSchool addressed the ransom in its statement Wednesday, saying it was the best option to prevent the data from becoming public.  

“We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” the company said. “It was a difficult decision, and one which our leadership team did not make lightly. … As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

North Carolina Department of Public Instruction, the state agency that oversees the state’s public schools, said in a news release Wednesday that it had notified law enforcement agencies and schools about the potential threat. DPI said authorities are investigating the incident. PowerSchool also said it had notified law enforcement agencies in the U.S. and Canada. 

“We sincerely regret these developments,” the company said. “It pains us that our customers are being threatened and re-victimized by bad actors.”

PowerSchool said at the time of the breach that the situation was “contained” and that it didn’t expect the data to fall into the hands of other bad actors. 

The company said in a statement to WRAL News last week that it had notified regulators on customers’ behalf in certain jurisdictions, as well as students or their guardians and educators in the U.S. 

“We have seen no evidence of fraud or further misuse of the information involved to date; and have no evidence that other PowerSchool products were affected as a result of this incident, or that there is any malware or continued unauthorized activity in the PowerSchool environment,” the company said in a statement on Friday in response to questions ahead of a WRAL report on the breach.

The company’s breach and reaction to the breach have left cybersecurity consultants warning that people still need to protect themselves and children from identity theft.

Children are especially vulnerable to identity theft because they don’t receive regular credit scores or reports. PowerSchool is offering ways for affected adults and children to protect themselves, and cybersecurity efforts have suggested they consider several measures.

All North Carolina public schools will begin using Infinite Campus to manage school data July 1, instead of PowerSchool. That decision, made by state officials in 2023, has been appealed by PowerSchool.

On Wednesday, Green said Infinite Campus was chosen over PowerSchool for many reasons and that DPI is satisfied with its security infrastructure.