CHARLOTTE, N.C. (QUEEN CITY NEWS) — Hackers have gained access to a student information system used by North and South Carolina public schools.
The N.C. Department of Public Instruction just got notified by the vendor, PowerSchool, about the data breach this week.
Union County Public Schools say they, along with the vendor and the state Department of Public Instruction, are all taking this situation very seriously.
The school district says its top priority right now is to find out which data files were breached.
“I’m not concerned whether some crazy hacker knows my child takes AP or college prep classes, my bigger concern is really more do they know where they live?” said Stephanie Esposito, a UCPS parent.
Esposito got an email from the school district telling her that her daughter’s personal information may have been accessed in a data breach through the schools.
“I guess my brain goes to the worst-case scenario, which is what could someone do with that information, even though they don’t have social security numbers and that type of thing, they know where each child goes to school and they have home addresses,” said Esposito.
The data breach was discovered on Dec. 28, but NCDPI was not told about it until 11 days later.
DPI says that hackers stole the credentials of a contract employee of PowerSchool, the information system that’s used by schools that was hacked. The criminals then had unauthorized access to student and teacher information.
PowerSchool contains things like student schedules, grades, parent information and home addresses.
UCPS say the system does not have social security numbers or financial information.
DPI says PowerSchool says that the breach has now been contained and the information deleted.
“The problem here is that the attackers they can study you, they can see your moves, they can see your patterns,” said Chip Florian, CEO of Ciprian IT, a cybersecurity management firm in Charlotte.
Florian says school systems and businesses, both big and small, have to budget for regular security awareness assessments, data encryption, employee training and good vendor management.
“You have to have a great IT team where their main focus is to stay ahead of the criminals, because what we see here is PowerSchool I believe is negotiating with the criminals and relying on them not to release this data,” said Florian.
Esposito also has a message for other parents to limit what you post on social media.
“Realize that it’s everywhere, get LifeLock and keep your business off of Facebook,” said Esposito.
Lancaster County Schools sent out information from the South Carolina Department of Education telling parents this is what they call an “international incident” and that state and local schools had no control over the data breach.
Charlotte-Mecklenburg Schools sent the following information, in part, to parents:
Charlotte-Mecklenburg Schools and NCDPI did not have a breach of its in-house data. The breach targeted the vendor, PowerSchool. We do not know what specific data was compromised. Charlotte-Mecklenburg Schools will work alongside NCDPI and PowerSchool to ensure that all required notifications are conducted.
Cabarrus County Schools sent the following information, in part, to parents:
Cabarrus County Schools will work alongside NCDPI and PowerSchool, to ensure that all required notifications are conducted.
It is important to stress that there is nothing that Cabarrus County Schools or NCDPI could have done to avoid this cybersecurity incident. Neither our schools nor DPI have administrative access to the maintenance tunnel where the breach occurred.
In the coming days, impacted students and staff will receive notification. Protecting student and educator data is a top priority, and we are taking this matter very seriously.
