Name: PowerSchool breach FAQ: What to know about the data breach affecting NC schools
Uploaded: 2025-01-15T23:17:59+00:00
Duration: 2 min 20 s
Description: The hack of a K-12 software provider has left student and teacher information exposed in districts around the country. The breach has left many North Carolina students, teachers and families worried about the potential impact on their privacy.

The hack of a K-12 software provider has left student and teacher information exposed in districts around the country. The breach has left many North Carolina students, teachers and families worried about the potential impact on their privacy.

A cyber attack on a company that provides K-12 software to school districts across the country — including, recently, every district in North Carolina — has exposed student and teacher information, leaving students, teachers and families to worry about the impact on their privacy.

PowerSchool — the Folsom, California-based contractor that created and maintains the database — is still sorting through who was affected and what data was illicitly accessed. Officials in North Carolina say the social security numbers of some students and teachers were exposed.

Other WRAL Top Stories

Here’s what to know.

So what happened and when?

On Dec. 19, the account of a PowerSchool contractor was compromised. According to PowerSchool, someone used the contractor’s account to access a “maintenance tunnel” in the system and extract data from two different tables.

PowerSchool discovered the breach on Dec. 28 and notified North Carolina customers on Jan. 7. The company has also notified law enforcement and worked with cybersecurity advisory firm CyberSteward on negotiating with the infiltrators.

What is PowerSchool and what kind of information is in the system?

PowerSchool is a company providing data services to schools across the globe. It has more than 18,000 customers in more than 90 countries, serving more than 60 million students.

North Carolina has a contract with the company for a statewide student information system. It can be customized by school districts, and teachers and parents often enter information about students, such as birth dates and other personal data, contact information, attendance records, grades, discipline records, limited medical information. North Carolina has used it since 2013.

What kind of information was compromised?

North Carolina education officials say all schools that have used the PowerSchool student information system were affected to some degree. That’s pretty much every public school except for charter schools that opened just this year. Officials also say that the social security numbers of some students and teachers were exposed.

Fewer than 1,000 students’ social security numbers were exposed, though more teachers’ numbers were exposed than students’.

PowerSchool — which is trying to determine the full scope of the breach, including the identities of those affected and what data was illicitly accessed — says two tables were accessed, and they primarily contain contact information.

The company hasn’t said what data is contained in those tables but said Jan. 8 that they “may also include” personally identifiable information, limited medical information and limited grade information.

The North Carolina Department of Public Instruction has said no medical data was breached for North Carolina.

Who was behind the breach and who has the data now?

PowerSchool hasn’t said who is behind the breach, except that a contractor’s account credentials were compromised. The company says the data obtained by the unauthorized persons has been destroyed — a message DPI and schools have repeated in assurances to the public.

Cybersecurity consultants caution that there’s no way for a company to know whether data extracted from their system was destroyed. PowerSchool hasn’t detailed why it believes the data has been destroyed, except to say that CyberSteward worked with the hackers and, based on conversations with CyberSteward, company officials feel assured the data hasn’t been shared and won’t be shared.

Was my data or my child’s information compromised?

PowerSchool is still evaluating the extent of the data breach. North Carolina schools learned of the breach on Jan. 7 but they weren’t informed that they were affected until Jan. 11 and Jan. 12, according to DPI.

How can I find out if my data or my child’s data was compromised?

PowerSchool said it would inform customers who were affected once it identifies them. According to DPI, that could be as soon as the end of the month.

If my data or my child’s data was compromised, is there anything I can do?

PowerSchool plans to offer credit monitoring for anyone whose social security numbers were breached, including children. Experts recommend freezing credit reports or monitoring credit scores or purchases, in case the data still ends up shared with bad actors. People can freeze their credit for free using a few different tools: https://ncdoj.gov/protecting-consumers/protecting-your-identity/free-security-freeze/ In the meantime, PowerSchool says it is working with law enforcement agencies to monitor the dark web for the data. It’s unclear which agencies they’re working with.

When will we know more?

Information is still just trickling out. According to DPI, PowerSchool could inform affected individuals as soon as the end of this month.

Why am I just finding out about this?

PowerSchool waited 10 days after it knew of the breach to inform customers. A spokesperson for the company didn’t directly explain why but said the company has been trying to ensure the accuracy of the information it communicates.

PowerSchool informed school systems of the breach on Jan. 7 and whether they were affected last weekend. The company still doesn’t know who was affected or the full scope of the data that was breached.

State law requires businesses to inform people who are victims of a cybersecurity breach — and they expect government agencies to do the same. But agencies do not yet know who specifically is affected. Still, some school systems have chosen to tell the public about the breach, adding that they will have more information at a later date.

Who’s to blame?

The breach occurred in a PowerSchool maintenance tunnel and involved a compromised account of a PowerSchool contractor. Neither the North Carolina Department of Public Instruction nor the local schools have access to the maintenance tunnel and, according to them, they could not have stopped the breach.

Is this just a North Carolina thing?

The breach affected PowerSchool’s customers globally.

Is the state doing anything to change systems?

The North Carolina State Board of Education signed a contract for a new statewide information system vendor in November 2023, after a new state law required some modernization of the statewide student information system. The new contractor is Infinite Campus, and many school systems and charter schools are already using it. All public schools will transition to it by July 1. PowerSchool has filed a bid protest challenging the new Infinite Campus contract. Another hearing on that protest is scheduled for later this month.

What does PowerSchool have to say?

PowerSchool has conducted password resets and added access controls for customer support portals, such as the one that was breached. In a statement to WRAL News on Jan. 7, the company said: “PowerSchool is committed to protecting the security and integrity of our applications. We take our responsibility to protect student data privacy and act responsibly as data processors extremely seriously. Our priority is to support our customers through this incident and to continue our unrelenting focus on data security.”

PowerSchool has additional resources that may cover additional questions.

The company made a reference page on its website Jan. 13.