Jan 15_PowerSchool Data Breach Info
January 15, 2025
Dear Craven County Schools Families and Staff:
The PowerSchool Student Information System has been used in all North Carolina public schools since 2013. On the afternoon of Tuesday, January 7, 2025, PowerSchool alerted the North Carolina Department of Public Instruction (NCDPI) to a cybersecurity incident impacting student and teacher data across their global client base. This incident was not isolated to North Carolina and potentially impacted millions of students and staff nationwide.
On December 28, 2024, PowerSchool became aware of a cybersecurity incident that began on December 19, 2024, involving unauthorized access to student and teacher data. The data breach occurred when the credentials of a PowerSchool contract employee were compromised. PowerSchool has shared that the threat has been contained and that the compromised data was not shared and has been destroyed. PowerSchool is working with its senior leadership and third-party cybersecurity experts to assist with completing the investigation.
On the evening of January 10, 2025, we, along with all other districts in North Carolina, were notified that Craven County Schools student and teacher information was part of the data impacted by the breach. Craven County Schools has been made aware of how many records have been affected and what data may have been compromised. We have also been informed that no student social security numbers were included in the breach.
PowerSchool will be responsible for conducting all necessary notifications to ensure appropriate and accurate compliance with local, state, and federal requirements and laws. Affected staff will be informed about which information was shared and any corrective action PowerSchool intends to take.
PowerSchool has confirmed that there were no actions that Craven County Schools or NCDPI could have taken to prevent this cybersecurity incident. Neither our schools nor NCDPI have administrative access to PowerSchool’s internal administrative connection where the breach occurred.
Please be assured that Craven County Schools, together with NCDPI, are committed to safeguarding the information of our school community and will continue to advocate for the well-being of our students and educators. While Craven County Schools is no longer a customer of PowerSchool, effective with the transition to Infinite Campus in July 2024, our student and staff data was still stored in their system. We understand the importance of this issue and will keep you informed as more information becomes available. If you have additional questions regarding this incident, we recommend visiting the resource link provided by PowerSchool: https://www.powerschool.com/
Please see the FAQ below to learn more about this incident.
PowerSchool Data Breach: FAQs
- What happened?
On December 19, 2024, a cybersecurity incident occurred at PowerSchool, the Student Information System previously used by all North Carolina public schools and many districts nationwide. This incident involved unauthorized access to student and teacher data due to the compromised credentials of a PowerSchool contract employee.
- How did the breach occur?
The data breach resulted from a compromised account belonging to a PowerSchool contract employee. Unauthorized individuals gained access using this employee's credentials, allowing them to access sensitive data.
- What information was affected?
The specific data impacted is still under investigation by PowerSchool. Craven County Schools has received confirmation regarding the types of data and the number of records involved. Both student and teacher data were compromised, but we have been informed that the breach included no student social security numbers.
- Was this breach isolated to Craven County Schools?
No. The breach impacted PowerSchool's global client base, potentially affecting millions of students and staff nationwide. Craven County Schools is just one of many districts involved.
- What is PowerSchool doing about the breach?
PowerSchool has taken steps to contain the threat and confirmed that the compromised data was not shared and has been destroyed. They are actively working with law enforcement to monitor for any signs of data exposure. PowerSchool is also conducting a thorough investigation to determine the extent of the breach and will notify affected individuals in compliance with applicable laws.
- Could Craven County Schools have prevented this incident?
PowerSchool has stated that neither Craven County Schools nor the North Carolina Department of Public Instruction could have prevented the breach. The incident occurred within PowerSchool's internal administrative connection, an area where neither the school district nor NCDPI has administrative access.
- What is Craven County Schools doing to protect student and teacher data?
Craven County Schools is committed to protecting student and staff data and is taking this matter very seriously. We are working closely with PowerSchool and NCDPI to address the situation and ensure appropriate actions are taken. The district will continue to update families and staff as more information becomes available.
- What should I do if I'm concerned about my information and/or my child’s information?
Stay informed by checking for updates from Craven County Schools and PowerSchool. You can also monitor your accounts and/or your child’s accounts for any suspicious activity.
Attachments:
January_15_PS_Communication_