The state’s student information system, PowerSchool, informed the North Carolina Department of Public Instruction on Jan. 7 that hackers accessed teacher and student information.
While Cumberland County Schools switched to a different student information system this school year, the school system was told over the weekend that its legacy data still stored in PowerSchool was affected by the hack.
“The North Carolina Department of Public Instruction has committed to providing our school system with detailed information about the breach, including how many specific students and teachers were impacted and what data was compromised,” Lindsay Whitley, Cumberland County Schools associate superintendent of communications and community engagement, told CityView. “At this time, it’s our understanding that the types of information accessed include social security numbers, student ID numbers, email addresses, etc.”
CCS is working with PowerSchool to notify impacted individuals using the contact information already provided to the school system, including via phone, email and U.S. mail. If an individual is worried about missing a district call because they blocked the number, Whitley said they can call the ParentLink Hotline at 855-502-7867 and select “Option 2” to opt back in.
While PowerSchool might reach out, the company’s webpage about the hack states that the company “will never contact you by phone or email to request your personal or account information.”
The page also provides FAQs to answer parents, educators and school systems’ questions about the breach. The company has also published FAQs for staff and parents on PowerSchool Community, the company’s support portal.
“While this breach involved a system no longer used by CCS, we are taking the situation seriously and working closely with NCDPI as they collaborate with PowerSchool,” Whitley said.
While exactly which years of data were compromised has not yet been determined, this school year’s student and teacher information is safe since it’s held in a different system.
CCS was part of the first phase of the North Carolina Department of Public Instruction’s shift away from PowerSchool as the state’s student information system. Starting this school year, the county’s public schools stored demographic details, grades and other information in the North Carolina Student Information System (NCSIS), powered by software company Infinite Campus and not PowerSchool.
However, as was in the case for CCS, data from prior school years still stored in PowerSchool was up for grabs by the hacker, according to WRAL News reporting on the breach.
“It is important to note that neither Cumberland County Schools nor NCDPI could have prevented this incident, as we do not have administrative access to the system’s maintenance tunnel,” CSS’ press release on the hack stated.
According to WRAL News, PowerSchool determined the threat began on Dec. 19. The company realized it was being hacked on Dec. 28, 10 days before it alerted NCDPI about the incident.
The company’s FAQs about the breach on PowerSchool Community states PowerSchool paid a ransom to the hackers to ensure the data accessed was deleted, according to reporting from information security and technology news publication Bleeping Computer.
Even if data was accessed, a PowerSchool spokesperson told CityView that the California-based education cloud-based software company believes the data taken by the hackers was “deleted without any further replication or dissemination.”
In a report to the North Carolina Board of Education on Jan. 8, Vanessa Wrenn, chief information officer for the Department of Public Instruction, said PowerSchool is working with law enforcement to monitor the Internet and the dark web in case any information is published.
Additionally, PowerSchool worked with the Canadian cybersecurity advisory firm Cyber Steward to determine a data breach had occurred and the stolen data was destroyed. It also worked with CrowdStrike, a data protection company the state uses to secure its schools and infrastructure, to conduct a forensic analysis of the hack.
“I can confirm that PowerSchool has taken all appropriate steps to prevent the data involved from further unauthorized misuse and does not anticipate the data being shared or made public,” the PowerSchool spokesperson said.
For those affected, the PowerSchool spokesperson told CityView that the company is “committed to providing affected customers, families, and educators with the resources and support they may need as we work through this together.”
Whitley said more specifics on what protection measures the company will offer to the district’s impacted individuals are coming. The company’s webpage states it will provide more information about credit monitoring and identity protection services as it becomes once available.
“As we learn more from NCDPI, we will continue to take the appropriate next steps,” Whitley said. “We appreciate everyone’s patience as we address this matter.”