A hacker's ransom: Inside the cyberattack that compromised NC student and teacher records

After a hacker accessed the digital records of students worldwide, including perhaps millions in North Carolina, the company that was breached — PowerSchool — began assuring families that the exposed data was no longer at risk of ending up in the hands of other bad actors.

What the company told schools in private, however, was that the assurance came from the hacker — and only after the hacker told the company about the breach, according to state school officials.

On a call with customers in January, PowerSchool said it paid a ransom to the hacker and then watched a video of the hacker deleting the data, people who were on the call told WRAL News. The ransom and video were among the reasons the company felt satisfied that the situation was contained.

“I would take that with an enormous grain of salt,” said Doug Levin, the director of K12 Security Information Exchange, a nonprofit organization focused on the security of educational software.

There’s no way to guarantee that the compromised data — identifying information for likely most of the state’s public school students and teachers since 2013, including more than 300,000 social security numbers — wasn’t downloaded and distributed to the wrong people, he said.

After all, Levin said, hackers can’t be trusted.

The incident is being investigated by North Carolina’s attorney general. PowerSchool faces dozens of federal lawsuits over allegations that it didn’t do enough to protect the data. Now the company is providing identity protection services, including credit monitoring, to people who may have been affected by the breach.

The PowerSchool incident paints a mosaic of a confounding time for parents, students and the people who manage schools: It exposes why children’s data is so coveted by hackers while underscoring that government officials can only do so much to protect it.

Interviews and records obtained by WRAL News since the PowerSchool breach was disclosed in January suggest that possible security vulnerabilities in the company’s software were undetectable by school leaders in North Carolina or elsewhere.

PowerSchool declined an interview request for this article. But in statements and email messages to WRAL News, the company said it has gone to lengths to keep the stolen data from spreading.

“We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse,” a PowerSchool spokesperson said in an email. “The incident is contained and we do not anticipate the data being shared or made public.”

The company said in a separate statement to WRAL that it notified regulators on customers’ behalf in certain jurisdictions as well as students or their guardians and educators in the U.S.

“We have seen no evidence of fraud or further misuse of the information involved to date; and have no evidence that other PowerSchool products were affected as a result of this incident, or that there is any malware or continued unauthorized activity in the PowerSchool environment,” the company said.

PowerSchool’s assurances haven’t provided enough comfort to some parents who worry that their children’s information could be used by strangers to apply for credit cards or for other fraudulent purposes.

“I don’t trust it, and that’s just me,” said Kearron Wilson, a parent of three Durham Public Schools students whose data was compromised.

Cybersecurity incidents involving K-12 data have been on the rise in recent years, according to Levin and other cybersecurity consultants. Eighty percent of information technology professionals in K-12 education reported being the target of a ransomware attack in 2023, according to a survey by cybersecurity advisory firm Sopheos. That’s up from 56% in 2022. K-12 was the most-targeted sector in the survey of 3,000 IT professionals.

The increase coincides with a rise in identity theft involving young people. There were 8,197 identity theft reports for people 19 and younger in the first three months of 2025 — up 17.5% from the same period in 2024, according to data from the Federal Trade Commission.

Children’s personal data is highly valuable to hackers looking to take advantage of a demographic that doesn’t have a habit of checking for credit reports in their own names.

Wilson is worried someone will use her kids' identifying information to impersonate her children and hurt their financial futures.

“You can get lights turned on in a child’s name, you can get WiFi in a child’s name, you can get an apartment in a child’s name,” Wilson said.

Turning schools into targets

PowerSchool was founded in 1997 with a simple mission: to help school systems wrangle large amounts of student data. The Folsom, California-based company helps schools manage student information, such as addresses, grades, attendance — even communication between teachers and parents. It operates in more than 90 countries and supports more than 60 million students.

Which is why the company and other education technology competitors have been targets for hackers. More than half of the K-12 school data breaches that occurred between 2016 and 2021 were carried out on edtech vendors, according to the Partnership for Advancing Cybersecurity in Education, a partnership between the U.S. Department of Education and the Center for Long-Term Cybersecurity at the University of California.

PowerSchool has provided the statewide information system — sets of databases on students’ personal information and academic, disciplinary, medical and other records — in North Carolina since 2013. It provides a similar service to nearly one-third of all U.S. school systems and to thousands of schools in dozens of countries across the globe.

A review by cybersecurity firm CrowdStrike found that PowerSchool had been hacked in August. An unknown actor had access to PowerSchool’s customer support portal — which in some cases can lead to access to student information — and unauthorized activity was detected between Aug. 16 and Sept. 17, according to the CrowdStrike report.

In December, PowerSchool was breached again in what cybersecurity consultants characterize as one of the largest K-12 data breaches ever. That was the incident that affected North Carolina’s schools and school systems across the world. CrowdStrike found no evidence that the unauthorized actor in the earlier breach was the same as the one in the December breach.

How the breach happened — and how education leaders are reacting to it — illustrates the difficulty in preventing these kinds of attacks.

Records and interviews with North Carolina public school officials show PowerSchool was unaware that a data breach had even occurred until the hacker informed the company on Dec. 28, more than a week after it happened.

According to state officials, the hacker had compromised the account of a PowerSchool contractor, whose account didn’t have recommended multifactor authentication and who had full access to student and teacher records stored in PowerSchool's customer support portal, called PowerSource.

Multifactor authentication is a security measure that essentially requires at least two forms of verification, such as a password that then prompts a code sent to a separate device.

Lacking multifactor security makes it easier for hackers to access systems.

In the PowerSchool incident, the hacker downloaded two of the most sensitive tables in PowerSource: comprehensive personal information tables for teachers and students, according to PowerSchool and state education officials.

Records obtained by WRAL News show that in Wake County — North Carolina's biggest school district — the data included names, addresses, contact information, photos, grades, race and more than a hundred other datapoints for students.

After the breach, PowerSchool hired Toronto-based CyberSteward to help them handle the breach.

In January, on a call with customers, PowerSchool executives said the company paid a ransom to the hacker and watched a video of the hacker delete the data, according to interviews with people who were on the call. The North Carolina Department of Public Instruction later reported that information in a state security-breach reporting form, under the Identity Theft Protection Act of 2005. WRAL obtained that report via a public records request.

CyberSteward didn’t respond to a WRAL News request for an interview. When pressed by WRAL, PowerSchool didn’t dispute that the company was unaware of the hack until the hacker contacted them, paying a ransom, watching the hacker delete the data via video and that the compromised account didn’t have multifactor authentication.

The company told WRAL News it has since implemented multifactor authentication for all accounts.

‘An unfair fight’

Since the PowerSchool hack, officials with the North Carolina Department of Public Instruction say they have met with all of the department’s data contractors.

The department's chief information officer, Vanessa Wrenn, says DPI reviews the data security of each contractor each year.

PowerSchool, despite lacking multifactor authentication requirements for contractors at the time of the breach, was in good standing, Wrenn said.

Wrenn declined to say whether that was a sign of weakness in the state’s security assessments.

“We always hear in cybersecurity ‘It's not if, but when,’” Wrenn said, referring to the inevitability of a cybersecurity attack. “You’ve all heard that, and we're using the best tools we have.”

Levin, the K-12 cybersecurity consultant, said agencies can only do so much to ensure the security of contractors, or the contractors of contractors, because they can only learn so much about private companies they have no control over.

Many security audits or security assessments are imperfect and have windows into a company’s operations that are limited to whether a policy exists and some evidence that a policy is implemented, he said. And cybersecurity threats are always evolving, making a company potentially safe one day but not the next, he said.

“Many of the [assessments are] really not much more than a self-attestation that they are trying to do the right things,” Levin said. “Everything being equal, I would prefer that my vendors and suppliers have gone through that audit process. It shows that they're at least paying attention. But ultimately, they're not the mechanism that we need to hold these companies accountable for ensuring that when we entrust them with sensitive information that they secure it adequately.”

Companies in other sectors are subject to federal and state laws of baseline cybersecurity requirements, Levin said. But there are fewer cybersecurity laws for schools or companies that work with them, he said.

"And so as a result, school systems are left doing sort of their best efforts in defending their school communities, and they lack the resources and expertise to really do a good job,” Levin said. “And it's particularly challenging because the threat actors targeting schools are largely based overseas, right? And they are essentially professional criminals who spend all day, every day, looking for victims. And school district IT teams in general are under-resourced and understaffed, and so it is the very definition of an unfair fight.”

There is growing interest among policymakers nationwide to pass more cybersecurity laws for the K-12 sector. Last year, lawmakers across many states introduced dozens of bills on the matter, according to the Consortium for School Networking.

North Carolina is relatively unique in that it manages agreements such as the PowerSchool contract on a statewide basis. Such agreements are subject to certain cybersecurity standards. That provides schools with more centralized oversight, likelier to have the time or skills to ensure information security, Levin said. On the flip side, it also leaves more people potentially exposed if just one hack occurs, because data for every student and every teacher in the nation’s 10th-largest state is in there.

North Carolina law requires cybersecurity standards for any statewide information systems. The Department of Information Technology’s statewide information security manual spells out more than 200 pages of rules, including an identification and authentication policy that applies to any state agency, education agency or contractor.

The policy requires all privileged accounts — those that can change the configuration of a system and make other high-level changes — to have multifactor authentication. All non-privileged accounts must have it when accessing networks remotely but not necessarily at other times.

”PowerSchool proactively follows all legal, regulatory, and voluntary requirements for protecting student privacy including federal laws such as the Family Educational Rights and Privacy Act and state regulations, including the North Carolina law related to the protection and maintenance of student records,” the company said in a statement.

PowerSchool, in a separate email to WRAL, also said its contractors were subject to third-party security assessments for general cybersecurity practices.

In 2023, when the state considered a new contract for its statewide information system — required by a state law modernizing the system — some officials raised questions about PowerSchool's contractor security, specifically whether all of them were included in security assessments.

DPI officials told WRAL News earlier this year that they still didn't know if PowerSchool's contractors were undergoing security assessments. Officials have since said the company is in compliance with state law.

Wrenn, the CIO at DPI, told WRAL News in March that PowerSchool’s contract “did meet the required security framework.”

Since the PowerSchool breach, DPI has been verifying security compliance with its contractors.

“We have met with every vendor since this incident and double-checked everything they have in place,” she said.

Ultimately, the Department of Public Instruction selected PowerSchool competitor Infinite Campus to provide the state's next statewide student information system.

Starting July 1, all North Carolina public schools will use Infinite Campus, instead of PowerSchool. Bid records show DPI officials were satisfied with Infinite Campus’ data security record.

PowerSchool also bid for the contract but was not selected. The company is appealing that decision, arguing the company was improperly not considered, among several other concerns.

Risks to children, teachers

PowerSchool is offering two years of credit protection for anyone affected by the breach. Meanwhile, credit reporting company Experian is conducting the notifications via current contact information known by PowerSchool.

PowerSchool says any current or former students or teachers who believe they could be affected but who haven’t received a notification should contact their former school to find out if they were affected. People have until July 31 to apply for the credit protection.

Experian isn't telling people what data of theirs was breached. Schools, even within North Carolina, have been able to customize the data kept in PowerSchool, so the data breached in one county might not be the same as the data breached in another. PowerSchool told WRAL News that people wanting more information on what data was accessed should contact their local school system to find out.

Wilson, the Durham mom, has signed up one of her children for credit protection. She’s waited on signing the other two up, weighed down by a feeling it won’t be enough to really help her children.

“Once it’s out there, it’s out there,” she said. She thinks about their information potentially appearing on the dark web. “All kinds of stuff started rushing through my mind,” she said.

While Wilson has been going back and forth about signing up her other two children for credit protection, she is also not convinced of PowerSchool’s assertions that they don’t expect the data to end up on the web, knowing that company officials negotiated with the hacker. She further worries more hackers will be encouraged.

And she’s worried that North Carolina’s public schools are still vulnerable to bad actors. Wilson wants schools to ultimately collect less personal information about children.

“They have completely lost all of my trust,” Wilson said.

PowerSchool has reported the breach to law enforcement and the company says it has enlisted the help of law enforcement and others to monitor the internet for signs of the PowerSchool data. So far, the company says it hasn’t located anything.

Under the credit protection being offered, adults can get a credit report, credit monitoring and monitoring of the web for identity theft.

For children, Experian wouldn’t monitor credit. But it would trace a child's social security number to see if it shows up in an Experian credit report. That could be a sign the child’s identity has been used to fraudulently open up an account of some kind.

Although most students’ social security numbers weren’t part of the breach, Levin said their identities can still be stolen if enough other personal information was breached.

Children’s data is actually more valuable than adults’ because children don’t usually monitor their own credit scores.

“It can be quite a long time before they learn of an issue, and so that is super valuable to a cybercriminal,” Levin said.

People can also freeze their credit for free, Levin said. That’s something they can do without the credit protection offered by PowerSchool or after those two years are over.

When a person freezes their credit, they must give written authorization for a credit report to be released. That can mean a delay in securing a loan or making purchases. But it also means a thief can’t open a new loan or line of credit in their name.

“That little inconvenience in unlocking your credit record is going to be well worth the comfort you get from knowing that it’s going to be much harder for there at least to be financial fraud against you as a victim of this incident,” Levin said.