'Damage beyond a dollar cost': CHCCS PowerSchool data breach

On Jan. 7, the North Carolina Department of Public Instruction sent out an email notifying school districts of a cybersecurity breach of student and teacher data in PowerSchool, a national software used to store administrative information for K-12 schools. 

The breach occurred on Dec. 19, but PowerSchool did not discover the incident until Dec. 28 and reported it to the NCDPI over a week later on Jan. 7. Chapel Hill-Carrboro City Schools Chief Communications Officer Andy Jenks said the district is communicating with PowerSchool through NCDPI to obtain further details regarding the breach. 

The email shared to CHCCS staff and families said PowerSchool has contained the incident and safely destroyed any data that was breached, but it is unknown whether the breach affected schools or individuals within the district. The email also said the NCDPI is currently investigating the breach and communicating with PowerSchool on behalf of all North Carolina school districts to better understand the impact, if any, on students and teachers. 

PowerSchool shared on its website that it is working with Experian, a trusted credit reporting agency, to notify students and educators whose information was breached in the next few weeks. While they have already determined an affected portion of students and teachers internationally and nationally, PowerSchool's ongoing investigation will identify the specific individuals, schools and districts who were impacted.

Jeremy Marzuola, a father of two Carrboro Elementary School students, said he was initially worried about what information was breached in the cybersecurity attack. He said it would be good to know what data was stored in PowerSchool and whether or not an attacker had access to it. 

“Given how quickly [CHCCS] communicated that the data breach had been confined, I felt okay about it, I thought they communicated rather quickly, so overall, I felt relatively good about the response,” he said. 

UNC Professor of Computer Science Saba Eskandarian said breaches of this nature are typically caused by an attacker seizing credentials including passwords or tricking a user into clicking on a phishing email. 

He said the information that was breached most likely includes names of students and teachers, academic information, medical information, Social Security numbers and more. According to PowerSchool’s website,  there is no evidence that any credit or banking information was involved in the breach. 

The attackers will typically download this data and ask the platform for money in exchange for not releasing the information and selling it, Eskandarian said.  There are many costs of recovering from a data breach, including the cost of monitoring the breached data and the cost of running the investigation, he said. 

“I think there is damage beyond a dollar cost,” Eskandarian said. 

On their website, PowerSchool said they will be offering two years of complimentary identity protection services for all the affected individuals as well as two years of complimentary credit monitoring services for all affected adults.

Jenks said there is nothing the NCDPI or CHCCS could have done to prevent this breach, as it happened on PowerSchool’s platform. He said the district will await further instruction from PowerSchool and NCDPI before taking immediate action. 

An effective preventative method for data breaches, Eskandarian said, is establishing two-factor authentication or the requirement of strong password on PowerSchool. He said these measures are easily applied and do not have a high cost, but they significantly reduce the risk of a breach. 

PowerSchool’s website stated that, beyond the investigation, the company is investing in its cybersecurity defenses and enhancing its security policies.

Moving forward, Jenks said CHCCS will determine what, if any, additional measures need to be taken.

"We want to make sure we're aligned and honest with what has taken place, and answering everyone's questions and passing along the latest information," he said.

@DTHCityState | city@dailytarheel.com