Notification of PowerSchool Data Breach

Subject: New Development in PowerSchool Data Breach / Nuevo desarrollo en la filtración de datos de PowerSchool

This update is for all CHCCS staff and families. It is our fourth communication regarding the cybersecurity incident in December involving PowerSchool, the software vendor that provides the Student Information System for North Carolina’s public schools. For previous messages sent in January, visit this page.

This morning, May 7, several schools across the state, including North Carolina Department of Public Instruction (NCDPI) employees, received messages from threat actors claiming to have access to student and teacher data from the PowerSchool data breach. 

However, CHCCS can confirm that no employees received the suspicious message today, and the sender’s address has since been blocked from sending to any CHCCS email account (employee and/or student.) While we do not yet know if any local families received these messages, NCDPI believes that the threat actors have access to the same statewide data tables that were originally exposed. These data tables include student and staff names, contact information, social security numbers (limited student social security numbers), birthdays, medical notes, passwords (limited) and parent/guardian information.

As a precaution, here’s what you need to know:

• Please do not open any suspicious links or emails related to this incident.
• Do not engage with anyone claiming to have this data.
• PowerSchool is offering two years of free identity protection and credit monitoring to all affected students and educators through July 1, 2025. NCDPI is advocating for this window to be extended further to ensure everyone has time to enroll. Affected individuals can enroll in identity protection and credit monitoring at no cost to themselves here. Services include:
  • Two years of complimentary identity protection for all students and educators affected
  • Two years of complimentary credit monitoring for all adult students and educators affected
  • These services are available regardless of whether an individual's Social Security number was compromised.
  • Additional protection: Impacted users can freeze their identity for free through the North Carolina Department of Justice.

NCDPI has already notified appropriate law enforcement agencies, who are actively investigating this incident.

We want to assure you that CHCCS and NCDPI have done everything possible to protect this information. PowerSchool, the vendor responsible for the incident, has taken full responsibility for the breach and is providing support services for those impacted.

As we’ve shared previously, CHCCS will continue to ask questions and receive updates on this matter in order to keep you informed.

Thank you for your continued attention,

Chapel Hill-Carrboro City Schools

 

Subject: PowerSchool Cybersecurity Update

This update is for all CHCCS Staff and families. It is our third communication regarding the recent cybersecurity incident involving PowerSchool, the software vendor that provides our Student Information System. For previous messages, visit this page.

On Wednesday (January 29), PowerSchool initiated the process of notifying individuals whose information was determined to be involved.

PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services to current and former students and educators that had information exfiltrated from PowerSchool SIS. PowerSchool is doing this regardless of whether an individual’s Social Security Number was exfiltrated. In the coming weeks, Experian (on behalf of PowerSchool) will be distributing direct email notifications to involved individuals (or their parent/guardian, as applicable) for whom PowerSchool has sufficient contact information.

Additionally, PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with these offerings and the incident. All the information regarding the activation of and access to these services will be included in the email sent to you by Experian. 

Whether or not you receive an email notification from Experian, you may also visit PowerSchool’s website to learn how to activate the offering from Experian, linked here: http://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/.

Thank you again for your time and attention to this matter,

Chapel Hill-Carrboro City Schools

---------------------------------------------------------------------------Subject line: Confirmation of PowerSchool Data Breach / Confirmacion de la violación de datos de PowerSchool

This update is for all CHCCS staff and families:

The North Carolina Department of Public Instruction (NCDPI) has confirmed that Chapel Hill-Carrboro City Schools’ PowerSchool staff and student data was accessed by an unauthorized party and is part of the PowerSchool data breach.

• As we first shared last week, PowerSchool has informed school districts that all breached data has been contained and destroyed. 
• CHCCS is aware that this breach covers data from Summer 2013 to present, which would include both current and former staff and students.
• PowerSchool has confirmed that there were no actions that Chapel Hill-Carrboro City Schools or NCDPI could have taken to prevent this cybersecurity incident.

Next steps: Moving forward, it is our expectation that PowerSchool will conduct all necessary notifications once an analysis is complete to ensure appropriate and accurate compliance with local, state and federal requirements and laws.

PowerSchool has also created this webpage which includes detailed information and answers to frequently asked questions.

A summary of the incident timeline is available below:

• PowerSchool is a student information system (SIS) that has been in use in North Carolina since 2013.
• On December 28, 2024, PowerSchool became aware of a cybersecurity incident that began on December 19, 2024, involving unauthorized access to student and teacher data.
• The data breach occurred when the credentials of a PowerSchool contract employee were compromised.
• On the afternoon of Tuesday, January 7, PowerSchool alerted North Carolina public schools and NCDPI to a cybersecurity incident impacting student and teacher data across their global client base. 
• This incident was not isolated to North Carolina. 
• PowerSchool has shared that the threat has been contained and that the compromised data was not shared and has been destroyed.
• PowerSchool is working with law enforcement to monitor the dark web for any data exposure.

As we shared with you last week, CHCCS will continue to ask questions and receive updates on this matter. As mentioned above, it is our expectation that PowerSchool will conduct all necessary notifications once an analysis is complete to ensure appropriate and accurate compliance with local, state and federal requirements and laws.

Thank you for your continued attention,

Chapel Hill-Carrboro City Schools

• For detailed information, including answers to frequently asked questions, visit PowerSchool’s website.

---------------------------------------------------------------------------Subject line: Notification of PowerSchool Data Breach

This message is for all CHCCS staff and families:

On Tuesday, Jan. 7, CHCCS and all other North Carolina school districts were notified that the student information system known as PowerSchool was impacted by a cybersecurity breach of student and teacher data. 

• CHCCS has not yet received any notification if the data breach impacts our/your PowerSchool data.

PowerSchool, used by all K-12 public school districts in NC, is telling districts in its global client base that the incident has since been contained, and that any breached data was securely destroyed.

The North Carolina Department of Public Instruction (NCDPI) is currently in talks with PowerSchool on behalf of all NC school districts and charter schools to better understand the impact, if any, on NC students and educators.

PowerSchool and NCDPI have confirmed that there was nothing any individual parent, school official, or school district could have done to prevent this incident, as the breach occurred at PowerSchool when a PowerSchool employee’s credentials were compromised.

As NCDPI investigates, CHCCS will continue to ask questions and receive updates on this matter. We will let you know if any action becomes necessary, and we will share updated information as we receive it. 

Thank you for your attention,

Chapel Hill-Carrboro City Schools