HAMLET — Richmond County Schools was one of several systems compromised by a late December global cyber security breach, the district announced on Wednesday.
According to a press release, the student information system PowerSchool was made aware of the breach on Dec. 28 — nine days after it began.
The breach involved “unauthorized access to student and teacher data across PowerSchool’s global client base,” according to Cameron Whitley, executive director of communications for RCS.
“The breach occurred when a PowerSchool contract employee's credentials were compromised,” Whitley said in the release. “PowerSchool has reported that the threat has been contained, the compromised data was not shared, and it has since been destroyed. The company is working with law enforcement to monitor the dark web for any signs of exposure.”
According to Whitley, PowerSchool informed the N.C. Department of Public Instruction about the breach on Jan. 7, and RCS was made aware Jan. 10 that local data was involved.
“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts,” reads a statement about the breach on the PowerSchool website. “We are working to complete our investigation of the incident and are coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as they become available.
“PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers. We have no evidence that other PowerSchool products were affected as a result of this incident or that there is any malware or continued unauthorized activity in the PowerSchool environment.”
It appears that NCDPI has not issued a press release about the breach.
However, a spokesperson told WRAL-TV that the department believes “demographic information is primarily what was illicitly accessed.”
“PowerSchool will notify impacted students and staff directly as they continue addressing the situation,” said Whitley. “Richmond County Schools is still in the process of investigating data which may have been included in the breach but can confirm no student social security numbers were compromised.”
Whitley said that neither the district nor NCDPI had administrative access to the system during the breach “and there was no action either could have taken to prevent this incident.”
According to K12 Security Information eXchange, there were more than 1,600 cyber incidents of schools from 2016 to 2022.
A map shows Lee County Schools had an incident in August of 2020, while schools were remote during the COVID pandemic, when “an online intruder gained access to a virtual classroom and displayed racist, violent and pornographic content for the whole class to see.”
That same week, the principal of Jack Britt High School in Cumberland County reportedly had his email address cloned and “inappropriate messages were sent out to the school community appearing to be from him.”
“Protecting student and educator data is a top priority for Richmond County Schools and NCDPI,” Whitley said. We are fully committed to ensuring the security of sensitive information and to supporting those affected by this incident. NCDPI is actively working with PowerSchool to address the situation and advocate on behalf of our students and staff, prioritizing their privacy and data security every step of the way.”
Whitley said that RCS has transitioned from PowerSchool to another system, Infinite Campus, for the rest of the school year.
According to WRAL, all districts in the state were scheduled to switch to Infinite Campus in July.
NOTE: This story has been updated to make a clarification on the timeline of the system being made aware of the breach. 1:40 p.m. 1-15-25
