The North Carolina Department of Public Instruction (NC DPI) confirmed Wednesday evening that the state’s PowerSchool student information system was targeted by a cyber extortion campaign. The breach reportedly happened back in January, but this week the perpetrators of the cyber-attack contacted staff members at DPI directly by email demanding Bitcoin payments.
The perpetrators say DPI should pay in Bitcoin to prevent the release of sensitive data tied to thousands of students and staff members across North Carolina’s public schools, including charter schools.
The data at risk includes names, contact information, Social Security numbers, birth dates, medical notes, and parent/guardian details. In a Wednesday evening virtual press briefing, DPI Superintendent Mo Green said the development does not appear to involve a new breach, rather a new attempt to extort funds for hacking the same dataset compromised in a January 2025 cyberattack. The original breach was confirmed to have occurred within the contractor PowerSchool’s systems, not those of DPI or local school districts.
Forensics and analytics experts say that such cyber attacks are on the rise, as the technology behind them gets more advanced.
“We’re seeing a significant uptick in the technical sophistication of threat actors exploiting blockchain systems. Ransomware, extortion schemes, and anonymized payments are becoming more challenging to trace,” Shaun MaGruder, CEO of BlockTrace, told Carolina Journal. “We actively support law enforcement at all levels in pursuing these criminals, especially when their crimes involve the exploitation of children. That’s a new low, and we won’t hesitate to help bring them to justice.”
This attack seems to have been on the PowerSchool system that serves public schools only, although many private schools use it as well. So far, DPI says the details on exactly whose information is vulnerable cannot be confirmed.
“We do not have any students in our student information system from a private school,” said DPI chief information officer Dr. Vanessa Wrenn, during a virtual press briefing Wednesday. “This is also impacting charter schools, that was part of the data set that was originally breached. We did not have evidence of any charter schools receiving an e-mail today from the threat actor.”
Global Scope, Local Impact
DPI reported that 20 North Carolina Local Education Agencies (LEAs) received emails from what they described as a “threat actor,” along with approximately 50 employees at the state Department of Public Instruction. The messages, consistent with those sent to other PowerSchool customers worldwide — including in Oregon and Canada — contained threats to release private data unless paid in Bitcoin.
“There was nothing that the Department of Public instruction school districts or individual schools could have done to prevent these violations,” said Green.
PowerSchool, in a statement the day of the threats, denied that a second breach occurred, asserting the current threat involves the same data from the original January breach. However, the DPI chief seemed to express frustration that PowerSchool had previously assured clients the compromised data had been destroyed.
“It is completely unfortunate that the perpetrators are praying on innocent children and dedicated public servants,” said Wrenn. “We are, as I mentioned earlier, working closely with law enforcement to try to do everything we can do to be sure that the responsible parties are held accountable for their actions.”
The office of North Carolina’s Attorney General Jeff Jackson launched an investigation in January into the attack, and on Wednesday, Green said that the AG’s office has not yet decided whether to take any legal action against PowerSchool.
Transitioning to a new system
During the press briefing, DPI announced that PowerSchool’s contract will expire on July 31, 2025, and all public school units — including charter schools — will transition to Infinite Campus, what they say is a more modern student information system chosen in part for its stronger data security measures.
“We also deeply investigated Infinite Campus’ security practices and are pleased with how they are designed,” said Green. “Here in North Carolina we certainly take protecting educator and student data very seriously.”
Protection and Reporting
Affected individuals — including current and former students, educators, and their families — are encouraged to sign up for free credit monitoring and identity-theft protection, which is currently available through July 31, 2025, although Wrenn says they will be advocating to keep monitoring available beyond that date.
PowerSchool is offering two years of free identity-protection services to students and educators whose information was involved, plus two years of credit monitoring for adults impacted.
DPI is urging anyone receiving a message from the threat actor to not engage and instead report the message through DPI’s secure cyber incident form. Law enforcement reporting is being handled centrally by DPI.
“In this situation, the threat actor communicated directly with schools and the North Carolina Department of Public instruction,” said Green. “They’ve done this not only with us but with other end users, if you will. So other districts across the the globe have also experienced this as well. We’re not alone.”
The post NC schools targeted in Bitcoin extortion scheme over breach: How to protect your data first appeared on Carolina Journal.
Have a hot tip for First In Freedom Daily?
Got a hot news tip for us? Photos or video of a breaking story? Send your tips, photos and videos to tips@firstinfreedomdaily.com. All hot tips are immediately forwarded to FIFD Staff.
Have something to say? Send your own guest column or original reporting to submissions@firstinfreedomdaily.com.
