School Cyberattacks Expose Gaps in Data Disclosure as PowerSchool Ransom Claim Spreads and Portland Probe Drags On

On a cold morning in January 2025, North Carolina parents opened routine-looking emails about a “global cybersecurity incident” at PowerSchool, the online system they use to check grades and attendance. The notices warned that some information may have been accessed without authorization but assured families the threat was over.

PowerSchool, the letters said, had contained the breach and ensured that any stolen data “was not shared and has been destroyed.”

Four months later, staff in about 20 North Carolina school districts began receiving emails that suggested otherwise. On May 7, 2025, “threat actors” wrote to them directly, demanding payment in Bitcoin and claiming to hold exactly the student and staff information that was supposed to have been wiped.

The incident, now part of a multistate investigation, is one of two recent school cyberattacks that show how slowly and unevenly U.S. K‑12 systems are responding when hackers make off with sensitive data on children, families and employees.

In North Carolina, a vendor’s assurances that stolen data had been destroyed unraveled in public. In Portland, Maine, the state’s largest district spent nearly a year investigating a ransomware attack before confirming that names, Social Security numbers and financial and medical details had likely been accessed and starting to notify 12,128 affected people.

Together, the cases illuminate a widening gap between how quickly cybercriminals move and how long it can take schools and their vendors to disclose what really happened.

A global vendor breach hits nearly 4 million in one state

The PowerSchool incident began in December 2024, when a hacker used the credentials of a contract employee to get into the company’s systems. The platform serves districts around the world and has been North Carolina’s statewide student information system since 2013.

By the time the company discovered the intrusion on Dec. 28, 2024, data tables containing student and staff information had been accessed. The North Carolina Department of Public Instruction, which oversees K‑12 public schools, was notified on Jan. 7, 2025.

Initial messages from the department and local districts leaned heavily on PowerSchool’s statements.

PowerSchool had “assured us that the compromised data has been secured and deleted,” Vanessa Wrenn, the department’s chief information officer, told the State Board of Education in a January briefing. She emphasized that “no actions by our schools or no actions by DPI could have prevented this incident from happening.”

The state attorney general’s office later said the breach ultimately affected more than 62.4 million current and former students and teachers nationwide, including nearly 4 million people in North Carolina. Potentially exposed information included names, addresses, Social Security numbers for some students and many staff members, and medical and disciplinary details.

PowerSchool began notifying individuals and offering identity protection and credit monitoring. District notices repeated that the company believed the stolen data had not been shared and had been destroyed.

That assurance did not hold.

On May 7, 2025, North Carolina’s education department and roughly 20 local districts received emails from people claiming to be in possession of PowerSchool data and demanding Bitcoin to keep it from being released.

Wrenn later said the messages “showed some evidence of having the same data that was breached in January” and described them as extortion attempts mirroring communications previously sent to PowerSchool itself.

State Superintendent Maurice “Mo” Green told reporters that the department “has not and certainly will not engage with these threat actors.” A 2023 state law, Section 143‑800 of the North Carolina General Statutes, prohibits state agencies and local governments from paying ransomware demands or even communicating with attackers for the purpose of making a payment.

Green also publicly distanced the department from the vendor’s earlier reassurance.

“At the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,” he said. “Unfortunately, that at least at this point, is proving to be incorrect.”

The state Department of Justice would later disclose that PowerSchool had quietly paid a ransom after the December 2024 breach in exchange for promises that the stolen data would be erased. Company representatives were shown a video that appeared to depict the information being destroyed, according to accounts provided by state officials.

That did not stop extortionists — potentially the same group or others who obtained copies — from attempting to pressure schools directly months later.

North Carolina Attorney General Jeff Jackson has opened an investigation into PowerSchool’s security practices and breach response and has demanded detailed records on the company’s safeguards, response steps and the precise number of affected residents. He has said he will “take additional legal action if necessary.”

The State Board of Education has since voted to end use of PowerSchool as the statewide student information system as of June 30, 2025, shifting to a new vendor, Infinite Campus, on July 1. PowerSchool remains under a limited contract for other tools such as educator evaluations and applicant tracking, under conditions that include independent security testing and review by the North Carolina National Guard’s cybersecurity unit.

Nearly a year to confirm data exposure in Portland

If North Carolina’s PowerSchool saga highlights the risk of centralized vendors, the Portland Public Schools breach in Maine points to challenges at the district level.

On or about Feb. 2, 2025, Portland’s network was accessed without authorization. The Maine attorney general’s office lists the breach date as Feb. 5 and describes it as an external hacking incident.

Around May 2025, the ransomware group RansomHub posted Portland Public Schools to its data leak site, claiming to have stolen about 110 gigabytes of data and publishing samples that appeared to include identification scans, insurance documents, budgets and student health records. The district did not publicly confirm those details at the time.

Instead, it launched what officials later described as an “extensive forensic investigation and comprehensive document review.” That work continued throughout 2025.

Nearly a year after the initial intrusion, on Jan. 6, 2026, the district concluded that personal information “may have been accessed and/or acquired” by the attacker.

“As a result of the investigation, it was determined that this incident was attributable to a cybersecurity attack,” Hayley Didriksen, the district’s senior director of data and technology, wrote in a Jan. 30 letter to affected individuals. “We have also learned that certain employee personal information was likely accessed and/or acquired by the bad actor.”

Portland then began mailing notification letters, as required under Maine law. The filing with the attorney general’s office reports that 12,128 people were affected, including 5,183 Maine residents and others in neighboring states.

According to that filing and descriptions of the notices, the types of information involved included full names, Social Security numbers and financial account details. Some letters also referenced medical and health insurance information, government-issued identification numbers and dates of birth.

The district offered 12 months of free credit monitoring and identity theft services through Experian but did not say in public statements whether it had paid or negotiated with RansomHub.

Maine’s data breach statute requires entities to notify the attorney general and affected residents “as expediently as possible and without unreasonable delay,” while allowing time for law enforcement investigations and measures to determine the scope of the breach. Whether the nearly yearlong gap in Portland’s case meets that standard may ultimately be tested if litigation moves forward. At least one law firm has announced it is exploring a class-action lawsuit.

Schools as targets — and the limits of current protections

Security researchers say both incidents fit into a broader pattern of attacks on education institutions.

Ransomware groups and data thieves increasingly view school systems as attractive targets because they hold large volumes of personal information — not just on students, but also on parents, guardians and employees — while often running on limited technology budgets and aging infrastructure.

In North Carolina, Jackson’s office reported that 2,258 organizations disclosed data breaches in 2024, impacting nearly 6.7 million residents, a record for the state. The PowerSchool incident was one of the most far‑reaching because the vendor’s platform is used to manage student records statewide.

In both the PowerSchool and Portland cases, the primary remedy offered to victims has been a limited period of credit monitoring and identity theft protection, typically one to two years. Privacy advocates and some law enforcement officials have questioned whether that is adequate when the compromised data includes Social Security numbers, medical and disciplinary histories and other records that can be misused long after monitoring expires.

The main federal laws governing student privacy — the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act — focus on how schools and companies collect and share data, not how they respond when hackers steal it. Breach notification requirements and ransom policies are largely set at the state level, creating a patchwork of rules.

North Carolina has moved to tighten oversight of its education vendors, requiring annual security attestations for companies that handle protected information and involving the National Guard in reviewing major contracts. Maine’s law, like those in most states, focuses on post‑incident notification rather than prescribing specific cybersecurity standards for districts.

For families and school staff, those distinctions can be hard to see. In both North Carolina and Maine, the first concrete sign that something was wrong came as a letter in the mail or a notice in an inbox, often months after the initial attack.

In North Carolina, those letters once told parents that stolen data had been “secured and deleted.” In Portland, they informed recipients that their Social Security numbers and, in some cases, medical and financial details “may have been accessed and/or acquired” by someone who broke into the district’s systems nearly a year earlier.

In each case, the message ended the same way: a recommendation to sign up for credit monitoring and to watch accounts carefully, and an acknowledgment that school systems now operate in a world where the information they collect about students and staff can travel far beyond the classroom.