A December data breach exposed the records of millions of North Carolina students and teachers who had used the PowerSchool statewide information system at one point.

California-based PowerSchool said the breach, which affected schools across the world, is “contained” and that they don’t expect any release of the data.

Other WRAL Top Stories

According to North Carolina officials, the company told customers that they paid the hacker a ransom and watched the hacker delete the data via video.

The company said in a statement to WRAL News that it notified regulators on customers’ behalf in certain jurisdictions, as well as students or their guardians and educators in the U.S. 

“We have seen no evidence of fraud or further misuse of the information involved to date; and have no evidence that other PowerSchool products were affected as a result of this incident, or that there is any malware or continued unauthorized activity in the PowerSchool environment,” the company said.

But the company’s breach and reaction to it have left many parents uneasy and left cybersecurity experts warning that people still need to protect themselves and children from identity theft.

Children are especially vulnerable to identity theft because they don’t receive regular credit scores or reports.

Here’s what people can do.

What PowerSchool is offering to help

PowerSchool is offering two years of credit protection for anyone affected by the breach. Meanwhile, credit reporting company Experian is conducting the notifications via current contact information known by PowerSchool. PowerSchool says any current or former students or teachers who believe they could be affected but who haven’t received a notification should contact their former school to find out if they were affected. People have until July 31 to apply for the credit protection.

Experian is not telling people what data of theirs was breached. Schools, even within North Carolina, have been able to customize the data kept in PowerSchool, so the data breached in one county may not be the same as the data breached in another. PowerSchool told WRAL News that people wanting more information on what data was accessed should contact their local school system to find out.

PowerSchool has reported the breach to law enforcement and the company says it has enlisted the help of law enforcement and others to monitor the internet for signs of the PowerSchool data. So far, the company says it hasn’t located anything.

Under the credit protection being offered, adults can get a credit report, credit monitoring and monitoring of the web for identity theft.

For children, Experian wouldn’t monitor credit. But it would trace a child's Social Security number to see if it shows up in an Experian credit report. That could be a sign the child’s identity has been used to fraudulently open up an account of some kind.

Why children are especially vulnerable to data leaks

The breach exposed more than 300,000 teachers’ social security numbers and more than 900 students’ social security numbers, according to the North Carolina Department of Public Instruction. But parents should still be worried.

Although most students’ social security numbers weren’t part of the breach, their identities can still be stolen if enough other personal information was breached, said Doug Levin, director of the K12 Security Information eXchange, a nonprofit focused on cybersecurity in schools.

Children’s data is actually more valuable than adults’ because children don’t usually monitor their own credit scores.

“It can be quite a long time before they learn of an issue, and so that is super valuable to a cybercriminal,” Levin said.

What else people can do

People can also freeze their credit for free, Levin said. That’s something they can do without the credit protection offered by PowerSchool or after those two years are over.

When a person freezes their credit, they must give written authorization for a credit report to be released. That can mean a delay in securing a loan or making purchases. But it also means a thief can’t open a new loan or line of credit in their name.

“That little inconvenience in unlocking your credit record is going to be well worth the comfort you get from knowing that it’s going to be much harder for there at least to be financial fraud against you as a victim of this incident,” Levin said.

Lingering parent concerns

Kearron Wilson, a Durham mother of three students, has signed up one of her children for credit protection. She’s waited on signing the other two up, weighed down by a feeling it won’t be enough to really help her children.

“Once it’s out there, it’s out there,” she said. She thinks about their information potentially appearing on the dark web. “All kinds of stuff started rushing through my mind.”

While Wilson has been going back and forth about signing up her other two children for credit protection, she is also not convinced of PowerSchool’s assertions that they don’t expect the data to end up on the web, knowing that company officials negotiated with the hacker. She further worries more that hackers will be encouraged.

And she’s worried that North Carolina’s public schools are still vulnerable to bad actors.

Wilson wants schools to ultimately collect less personal information about children.

“They have completely lost all of my trust,” Wilson said.