PowerSchool provides update on cybersecurity breach

New information has come to light on the state’s plans to help members of the school system who were negatively affected by the PowerSchool cybersecurity breach that struck North Carolina.

This past December, PowerSchool, the cloud-based Student Information System (SIS) used for managing student and teacher data, became aware of a breach. The cause was reported by NCDPI (NC Department of Public Instruction) to have occurred following unauthorized access to data of both students and teachers, due to a PowerSchool contract employee’s credentials being compromised.

PowerSchool also reported that it had contained and destroyed the threat and any compromised data. Information on the situation went out in January and details that both Clinton City and Sampson County Schools were affected in some partial fashion. Since then, news has come forward on how PowerSchool intends to remedy the issue for any affected over the next couple of years.

“We found out that PowerSchool (contracted with Experian) is going to agree to pay two years of credit monitoring for any individuals who are now adults that were affected by their data branch,” Executive Director of Technology and Auxiliary Services John Lowe said in recent talks with the Clinton City Board of Education. “If they’re still minors, they will receive identity protection. The adults receive both credit monitoring and identity protection for two years at no cost. So we sent out notifications to parents and guardians that, that would be coming.”

Lowe said there were inquiries over the PowerSchool notifications on the sign up, as concerns arose over the email being a phishing attempt. Lowe, however, confirmed those notifications are legitimately from PowerSchool.

“I waited to send out that information until I had the actual links,” he said. “That way, people could follow my link and sign up for that if they so wish, and then PowerSchool is following up with information about it. The challenge with PowerSchool’s notifications is that all they have are the email addresses that were in the database at the time. So if you were a student from say, 2013 to now, and all they have is your student email, you’re never going to get that notification, because you’re not going to use your Clinton email if you’re out doing life at this point.”

He continued, “That’s why I wanted to have the links and the communication I sent out and published on the website so that is underway. That afternoon, when I sent the link out, there was a flurry of others who got their notification from PowerSchool. They were querying me, asking if this was some phishing attempt, which I was glad they were suspicious, but this one is not, and it’s continuing in a staged effort from PowerSchool to get that information out.”

Also of note, Lowe said, signing up for credit monitoring required a thorough identity verification process. While a bit tedious, he said it was for PowerSchool to take steps to ensure that only the rightful individuals are enrolled in these services.

“Hopefully, people became knowledgeable of this and are able to take advantage of the opportunity,” he said. “I signed up, and it’s not an overwhelming process, but it is an intricate process. When you’re doing credit monitoring, because they have to verify you are who you are, they’re going to ask some in-depth questions. Ones like, did you ever have a car loan from a said vendor? It will give you some options, and you just have to say none of those, or you pick one. Another example is, did you ever have a mortgage or own a property with this address, you have to be able to answer those questions and so forth. If you don’t, they won’t let you sign up because you may be trying to impersonate someone.”

According to Lowe, from information PowerSchool sent out to school systems on the extent of the data breach:

“PowerSchool informed us that the taken data primarily includes parent and student contact information with data elements such as name and address information,” Lowe said. “Across their customer base, they have determined that for a portion of individuals, some personally identifiable information (PII) was impacted, but there is no evidence that credit card or banking information was involved.”

A question did come from the board about whether the breach reached their members as well. “So John, this data breach only affects students’ and parents’ information, was the board’s information in there too?” Clinton Board of Education Member Carol Worley asked.

“The bad actors only accessed the student data tables and the staff data tables,” Lowe replied. “When they gained access to PowerSchool, they probably would have accessed more, but it was detected and closed off, and all they were able to pull were student and staff data tables. The frustrating part is, when North Carolina implemented PowerSchool, a decision was made so it could connect to a human resource platform that staff members would have their social security number in the student information system.

“At some point that was rescinded, but our school neglected to take all of the social security numbers out of their historical database,” he added. “So for some of our staff members, approximately 113 going back from 2013, were affected with social security. I can’t pull their individual data, but I at least got the aggregate number. So again, to the 113 staff members that did have their social affected, you may want to take advantage of this opportunity to monitor credit. And of course, we shared the information from the Department of Justice on how you can freeze your credit with all three of the major credit reporting agencies.”

Lowe further noted that the board of education members typically don’t have accounts through PowerSchool and only teachers and students on their data table were affected.

“We really have no way of knowing if the board was affected for sure,” Lowe said. “But, PowerSchool’s COO did say, they were not going to spend money and effort and hire a team to vet every individual’s sign up. He told us, for everyone that completes an application and signs up, they’ll pay for the credit monitoring and identity protection for two years. You just need to have been in the school system between 2013 and 2024 school years.”

For more information and to access the sign-up link, visit www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.