Emails from “threat actors” were received by 20 North Carolina school districts on May 7 per the N.C. Department of Public Instruction. The emails are linked to a data breach involving the statewide school information system PowerSchool which occurred near the end of December 2024.
PowerSchool is used by 55 million students spanning 90 countries worldwide. Typically, individual districts in U.S. states use PowerSchool, however the application is used statewide in North Carolina K-12 schools.
During a virtual press conference with media, N.C. State Superintendent Mo Green said the FBI is investigating the incident as are the appropriate state cyber threat agencies and offices.
N.C. Department of Public Instruction’s (NCDPI) Chief Information Officer Vanessa Wrenn said the agency is not prepared to release the names of the 20 districts at this time.
The data appears to be the same information that was included in the PowerSchool data breach announced earlier this year, of which PowerSchool received similar emails demanding money for the return of the data.
Schools and districts received an email from PowerSchool on Dec. 28, 2024, about the data breach affecting the Student Information System (SIS) that stores and manages student records, grades, attendance, enrollment and personally identifiable information such as names, addresses, medical information and even Social Security numbers.
Wrenn said the emails received by North Carolina schools were like what PowerSchool had received last year, noting the new emails used the “the same tactic,’ but targeted “a different audience.”
Wrenn indicated the emails contained demands for Bitcoin to be paid to the threat actors in return for the data they allegedly possess.
“At the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,” Green said. “Unfortunately, that at least at this point, is proving to be incorrect.”
Green is referring to a Dec. 28 email PowerSchool email to client that said the data in the December breach would “not be shared or made public,” and they “believe it has been deleted” without being copied or shared. PowerSchool reportedly paid an undisclosed ransom to the hackers to stop the data from being shared or released.
The data involved in the December breach included certain student and staff names, addresses, medical information and Social Security numbers.
“It is not yet clear if the same threat actor is responsible for both of these incidents,” Green said, adding that PowerSchool has indicated they do not believe there was a second breach as the data was the same as the December breach.
At least one other state, Oregon, has received identical emails from the threat actors. Additionally, the demands are international at this point, with Canada receiving an identical email message from the threat actors on May 5.
North State Journal asked Green if NCDPI was contemplating legal action against PowerSchool. Green noted the February 2025 announcement by the N.C. Department of Justice (NCDOJ) and Attorney General Jeff Jackson of an investigation into the previous breach incident, and said, “We will certainly communicate this information to them [NCDOJ].”
Green added that whatever action brought by the NCDOJ would be on behalf NCDPI, the State Board of Education and the state.
NCDPI has instructed the state’s districts and schools not to engage the threat actors but instead report contact to NCDPI. A form has been provided to the districts to use and share with their students and families for that purpose.
Wake County Public Schools, the state’s largest district, issued a statement to parents the same evening NCDPI made its announcement about the threat emails.
Two years of credit monitoring and Identity theft services are being provided by PowerSchool free of charge with enrollment due by July 31. More information on these services can be found on the PowerSchool website.
Wrenn told reporters that NCDPI is in talks with PowerSchool to extend that deadline.
NCDPI has a dedicated webpage for the data breach incident, which include updates and credit monitoring links.
The NCDOJ also has identity protection resources available on their website.
The state’s contract with PowerSchool will be ending in a few months and will begin the transition a new system, Infinite Campus, on July 1. The transition is scheduled to happen over a two-year period.
NCDPI’s Cybersecurity Team “conducted a thorough investigation of Infinite Campus’ security practices and reviewed all other technology contracts to ensure proper security standards are in place,” per an NCDPI press release.
