North Carolina schools are preparing to move troves of student and teacher data from the recently hacked PowerSchool into a new system in the coming weeks, Infinite Campus.
The new system must be vetted for cybersecurity, the same way PowerSchool was, under North Carolina law. Infinite Campus has met those compliance standards, according to the North Carolina Department of Public Instruction, just like PowerSchool did.
“These state policies are strong on paper but they rely heavily on consistent enforcement by the schools and the tech providers,” said Kimberly Simon, chief executive officer of Secure Network Administration, a Durham information technology and cybersecurity company.
In December, PowerSchool learned that it had been hacked when it received a threatening message from someone claiming to have access to data on 60 million students and 10 million teachers worldwide, asking for millions of dollars in ransom, recently filed federal court documents show.
The breach ultimately exposed personally identifying and academic data on students and teachers at every North Carolina public school that has ever used PowerSchool dating back to when the state signed its contract with the company in 2013, impacting potentially millions of people.
PowerSchool said it paid a ransom in exchange for the data’s destruction, though cybersecurity experts have consistently warned since the hack not to trust that the hacker has destroyed the data. Earlier this month, school employees in North Carolina and other schools worldwide began receiving new threatening messages claiming to have the data and asking for ransom payments.
On Tuesday, Matthew D. Lane pleaded guilty to two federal charges related to the PowerSchool hack, including unauthorized access of the company’s network and using a PowerSchool contractor’s credentials to access the network.
North Carolina law requires cybersecurity standards for any statewide information systems. The Department of Information Technology’s statewide information security manual spells out more than 200 pages of rules, including an identification and authentication policy that applies to any state agency, education agency or contractor.
The policy requires all privileged accounts — those that can change the configuration of a system and make other high-level changes — to have multi-factor authentication. All non-privileged accounts must have it when accessing networks remotely but not necessarily at other times.
“Multifactor authentication should be standard. It should’ve been standard,” Simon said. “I’m glad it’s mandatory for all sensitive information.”
Before the hack, PowerSchool didn’t require multi-factor authentication for all contractors’ accounts, including the contractor whose account was ultimately compromised late last year. Since then, the company has installed multi-factor authentication requirements for all contractors.
Since the PowerSchool hack, officials with the North Carolina Department of Public Instruction said they have met with all of the department’s data contractors.
The department’s chief information officer, Vanessa Wrenn, told WRAL News earlier this spring that DPI reviews the data security of each contractor each year.
PowerSchool, despite lacking multi-factor authentication requirements for contractors at the time of the breach, was in good standing, Wrenn said.
Wrenn declined at the time to say whether that was a sign of weakness in the state’s security assessments.
“We always hear in cybersecurity ‘It’s not if, but when,’” Wrenn said at the time, referring to the inevitability of a cybersecurity attack. “You’ve all heard that, and we’re using the best tools we have.”
Other cybersecurity experts suggested to WRAL News earlier this year that agencies can only do so much to be sure of the cybersecurity of their contractors.
Earlier this month, state Superintendent of Public Instruction Mo Green said the state is happy with Infinite Campus’ security infrastructure and expressed higher confidence in the company.
In statement to WRAL News on Thursday, DPI reiterated that sentiment.
“Before entering into a contract with Infinite Campus, the North Carolina Department of Public Instruction (NCDPI) worked the North Carolina Department of Information Technology’s (NCDIT) Enterprise Security and Risk Management Office to assess and approve Infinite Campus’ cyber security assessments and documentation in accordance with the standards outlined in NCDIT’s Statewide Information Security Manual,” according to a DPI statement. “As with any third-party application that houses sensitive information, NCDPI and NCDIT do an annual evaluation and perform continual monitoring throughout the year.”NC Department of Public Instruction
A WRAL News report earlier this month revealed what PowerSchool told schools about how they handled the hack, why children are especially vulnerable to data breaches and how people can protect themselves and their children.
