Dare County Schools provides update on recent online data breach

On Wednesday afternoon, January 15, Dare County Schools (DCS) Superintendent Steve Basnight shared the following message regarding the recent PowerSchool security breach, which affects Dare County Schools and school systems around the globe. For more information from DCS, click here.
Dare County Schools Community:
The PowerSchool Student Information System (“PowerSchool”) has been in use at all North Carolina public schools since 2013. Dare County Schools no longer uses PowerSchool having fully transitioned to Infinite Campus in August 2024. PowerSchool continues to store historical data from North Carolina dating back to 2013, including Dare County Schools data.
On the afternoon of Tuesday, January 7, 2025, PowerSchool alerted the North Carolina Department of Public Instruction (“NCDPI”) in Raleigh to a cybersecurity incident impacting student and teacher data across their global client base. This incident was not isolated to North Carolina and impacted potentially millions of students and staff across the nation.
On December 28, 2024, PowerSchool became aware of a cybersecurity incident that began on December 19, 2024, involving unauthorized access to student and teacher data. The data breach occurred when the credentials of a PowerSchool contract employee were compromised. PowerSchool has shared that the threat has been contained and that the compromised data was not shared and has been destroyed. PowerSchool is working with law enforcement to monitor the dark web for any data exposure.
On the evening of January 10, 2025, we were notified that DCS student and teacher information was part of the data which was impacted by the breach. DCS has not been informed of specific individuals involved in this breach.
PowerSchool will be responsible for conducting all necessary notifications to individuals to ensure appropriate and accurate compliance with local, state and federal requirements and laws.
PowerSchool has confirmed that there were no actions that districts or NCDPI could have taken to prevent this cybersecurity incident. Neither our district nor NCDPI have administrative access to PowerSchool’s internal administrative connection where the breach occurred.
Protecting student and educator data is a top priority, and we are taking this matter very seriously. DCS and NCDPI are committed to protecting our students and staff, and we are actively advocating for each of them as we navigate this incident.
PowerSchool continues to update its website with information regarding the cybersecurity incident. You may access this information by visiting PowerSchool’s website here.
Thank you for your support, and we will keep you updated as more information becomes available.
Steve Basnight
Superintendent
Just one of the 1000’s of breaches per year yet no company can be sued as far as I can tell based on the various breaches I have been notified of. The guilty throw us a free year or two of credit report monitoring and walk away more or less unscathed. I suspect the credit report agencies are being financially propped up by this revenue only.
The problem with the cloud-based applications such as PowerSchool and the new Infinite Campus is they have attack vectors from all over the world. When the school system moved from a local application to the cloud they pushed the responsibility of security onto the PowerSchool. Probably a good move as it is unlikely the school system has a single employee with enough knowledge to lockdown and maintain a lockdown of the school systems computer. In defense of the school system there is no way the administrators would properly budget for this because they do not understand the risks. Given the breach one has to ask how what type of security is PowerSchool using. My guess would be username/password only, but we will never know. There are multiple two-factor authentication options that are several orders of magnitude of protection. The other possibility is the contractor was located at their company site with an expected to be secure connection between the companies computer network, but those are very easy to improperly configure.
The worst part about this is even though the county stopped using PowerSchool the data was not locked down so it continues to be at risk of being compromised again. I would like to see a resident try and sue the county. They collected the data and passed responsibility of protecting it, but still are ultimately responsible for safeguarding it.