
RALEIGH — At a called meeting of the North Carolina State Board of Education on June 23, the board voted unanimously to approve a short-term contract extension with PowerSchool, the student data system used by the state that suffered a global data breach near the end of last year.
Following the breach, there were subsequent ransom demands from “threat actors“ to North Carolina districts this May. In late May, 19-year-old Matthew Lane of Massachusetts pleaded guilty to four federal charges related to the breach, including cybercrimes and aggravated identity theft.
The state ended its use of PowerSchool for student records on June 30 and will transition to Infinite Campus over the summer.
The limited six-month extension approved by the board for PowerSchool pertains to the North Carolina evaluation system, or NCEES, and the systems supporting teacher applicant tracking, onboarding and a statewide job board. The latter system is used by 95% of local school districts and 90% of charter schools.
N.C Department of Public Instruction’s Chief Information Officer Vanessa Wrenn said what is being kept is “separate and apart from the student information system” that was hacked. She also said that because of the PowerSchool data breach, the limited extension will have significant security requirements, which include engaging the North Carolina National Guard to conduct a cybersecurity review of all of PowerSchool’s related systems.
“This is the first time that we’ve asked the North Carolina National Guard to step in with the vendor relationship,” Wrenn said.
Additional controls include requirements for third-party penetration testing, “SOC 2 Type 2” reports and forensic reports, all to be delivered by Sept. 1. No payments to PowerSchool will be made until those reports are received.
Pricing listed in the contract details includes 68 cents per student for the applicant tracking system with a minimum cost threshold and approximately $269,836 for the educator evaluation system prorated for six months.
The board can extend the PowerSchool contract again up to three times, each for a six-month period. Any additional extensions would be dependent on PowerSchool getting a security green light.
The limited extension approved by the board comes as N.C. Attorney General Jeff Jackson has issued a civil investigative demand (CID) to PowerSchool regarding the data breach. A CID is the equivalent of an administrative subpoena and is often used in an investigative manner ahead of formal legal proceedings.
“Last year’s data breach compromised the personal information of teachers, public school employees and families across North Carolina,” Jackson said in a press release. “I’m demanding more information from PowerSchool about how this breach happened and who it affected, and what we learn will drive our next steps.”
According to Jackson’s press release, his CID is seeking the exact number of North Carolinians impacted by the 2024 data breach, what PowerSchool’s cybersecurity measures were in place to protect users’ personal information leading up to the breach and which security flaws contributed to the breach.
Jackson is also asking for information on PowerSchool’s actions following the breach, the steps taken to address cybersecurity failures, measures to strengthen security and what the company has done to assist affected customers.