A cybersecurity expert warns that hackers could continue to try to extort people for money related to the breach of millions of students’ and teachers’ data earlier this school year.
On Wednesday, state school leaders and employees from at least 20 North Carolina school systems began receiving emails attempting to extort them — a payment in cryptocurrency in exchange for keeping their data secret. They’re mentioning the same data that was breached in December. So far, no students or parents have reported receiving a message.
It comes nearly five months after a hacker stole data from PowerSchool, a state data management contractor, and successfully obtained a ransom payment from the company in exchange for sharing a video of them deleting the data. At the time, PowerSchool told customers that the threat was contained and that it didn’t expect any further distribution of the data.
Cybersecurity expert Doug Levin told WRAL News ahead of a report published Sunday to “take that with a grain of salt.”
This week’s developments are what Levin, the director of cybersecurity nonprofit K12 Security Information Exchange, warned about.
That the threat from the breach isn’t over “certainly suggests that paying any extortion demand is a very weak bet that you know they’re going to do the right thing,” Levin said. “These are criminals, after all.”
On Wednesday, PowerSchool said it knew paying the ransom came with the risk. The company wrote, “It pains us that our customers are being threatened and re-victimized by bad actors.”
State Superintendent of Public Instruction Mo Green calls the breach “unacceptable.”
“The perpetrators are preying on innocent students,” Green said.
The data breach occurred Dec. 19 when the account of a PowerSchool contractor was compromised. That contractor had access, via a maintenance portal, to the data of millions of teachers and students worldwide. According to North Carolina officials, PowerSchool learned of the attack when the hacker notified the company on Dec. 28. PowerSchool notified the state of the hack on Jan. 7.
The data included names, addresses, contact information, photos, grades, race and more than a hundred other datapoints for students. More than 300,000 teachers’ Social Security numbers were included.
Children’s personal data is highly valuable to hackers looking to take advantage of a demographic that doesn’t have a habit of checking for credit reports in their own names.
Now, someone — or some organized criminal gang, as Levin theorizes — says they have this data and is telling that to school employees directly.
State education officials said the North Carolina Local Government Information volunteer Cyber Strike Team “assisted NCDPI in confirming the validity of the data shared by the threat actors.”
More people might receive messages from this “threat actor,” Levin said. State officials are urging people to report any message from someone who claims to have this data to the Department of Public Instruction. The department won’t engage with the threat actor and won’t pay a ransom, Green said, but it is working with the FBI on the matter.
Levin said people should take advantage of the credit protection PowerSchool is offering via Experian. They should not click on links in suspicious messages or respond to the sender. They should report suspicious messages to school officials and law enforcement. People should change any passwords that they use in any school system or passwords that are the same as what they use in any school system, he said, and implement multifactor authentication for logging into any accounts.
“We also always encourage literally everyone, whether you’ve been caught up in this incident or not, to just freeze their credit records at the credit reporting agencies,” Levin said. “It is a simple step that you can take to provide some measure of protection against financial fraud against yourself, should your information ever get exposed in a data breach like this one.”
Schools and education software are increasingly targets for cybercriminals, Levin noted.
“Incidents have been happening more frequently. They’ve been more sophisticated,” he said. “They have also been more significant in terms of their impact, whether you’re talking about money or amounts or sensitivity of data that has been released.
“And one of the things that school systems are doing now is also looking and asking questions of all of their vendors and third parties they do business with, like PowerSchool. There is certainly a trend right now that school systems are beginning to ask many more questions of their vendors and partners to ensure that they have strong cybersecurity in place, while school systems as well are shoring up their cybersecurity practices.”
Cybersecurity incidents involving K-12 data have been on the rise in recent years, according to Levin and other cybersecurity consultants. Eighty percent of information technology professionals in K-12 education reported being the target of a ransomware attack in 2023, according to a survey by cybersecurity advisory firm Sopheos. That’s up from 56% in 2022. K-12 was the most-targeted sector in the survey of 3,000 IT professionals.
The threats are typically coming from overseas, especially from Russia, Levin said. In this case, based on communications he’s seen, Levin noted the threat actors aren’t communicating in perfect English. Their request for cryptocurrency in exchange for data security is also a sign that they may be operating overseas, he said.
Dozens of lawsuits have been filed against PowerSchool over the breach, including one filed by a Winston-Salem/Forsyth County Schools teacher. North Carolina Attorney General Jeff Jackson launched an investigation into the breach earlier this year but has not filed a lawsuit.