State of North Dakota – FAQ on PowerSchool Cybersecurity Incident
Has PowerSchool acknowledged the breach, specifically its impact to North Dakota?
Yes. NDIT met with PowerSchool on Friday, January 10th and they acknowledged that State of North Dakota was impacted. Initial notifications were sent by PowerSchool to PowerSchool SIS customers on January 7th based on a list of impacted SIS instances and PowerSchool has acknowledged that the instances may not have been mapped properly. PowerSchool has indicated that they would send revised communications to impacted customers.
General acknowledgement of the breach and information can be found at https://www.powerschool.com/security/sis-incident/.
PowerSchool SIS Technical Contacts can access PowerSchool’s Cybersecurity Incident FAQ at https://help.powerschool.com/t5/Technical-Contact-Announcements/PowerSchool-Cybersecurity-Incident-Customer-FAQs/ba-p/535786 (requires login).
Has PowerSchool confirmed if students from our Student Information Systems (SIS) databases were impacted?
Yes. PowerSchool has indicated that they know the entire universe of impacted individuals, including students. State of North Dakota has requested that they share the list of impacted individuals with us so that we can review it for reasonableness.
Has PowerSchool confirmed if teachers/staff from our Student Information Systems (SIS) databases were impacted?
Yes. PowerSchool has indicated that they know the entire universe of impacted individuals, including teachers. State of North Dakota has requested that they share the list of impacted individuals with us so that we can review it for reasonableness.
Who is responsible for communication to affected constituents? Is this us (School Districts)? Is this NDIT? Is this PowerSchool?
PowerSchool has indicated that they will be sending breach notifications directly to affected individuals including information on credit monitoring or identity protection services.
PowerSchool is ultimately responsible for sending communications to affected constituents. However, we have asked PowerSchool to share the list of impacted individuals so that we can do some level of review against expected record counts.
PowerSchool has stated that more information would be forthcoming on this.
Are school districts required to notify the Attorney General’s Office (AGO) if records were confirmed to be part of the incident?
No. PowerSchool is required per N.D.C.C. 51-30-02 to notify AGO of the cyber incident impacting N.D. residents. PowerSchool mentioned on a call with NDIT on January 10 they would be submitting a notification to AGO.
Are school districts required to notify North Dakota Insurance Reserve Fund (NDIRF)?
Yes. if the school district’s insurance carrier includes NDIRF, NDIRF has requested each school district contact them directly if your school district has been notified of being impacted by the cyber incident.
What if my school district has other cyber insurance?
It is recommended that you contact your insurance company to notify them your school district has been notified of being impacted by the cyber incident.
What advise can be given to students, staff, and parents that are concerned with personal information being impacted by this incident?
For teachers and students, credit reports can be frozen until a credit check is needed. Further information on how to freeze a credit report, along with other financial safeguards and monitoring, can be found at the following sites:
- https://www.consumerfinance.gov/ask-cfpb/how-do-i-check-to-see-if-a-child-has-a-credit-report-en-1865/
- https://identitytheft.com/
- https://www.annualcreditreport.com/ (allows you to view your credit report annually from the three major credit reporting companies.)
Note: Children under the age of 18 generally do not have a credit report.
Should PowerSchool user passwords be changed because of the cyber incident?
Yes, passwords should be changed any time a system was impacted by a cyber incident. Go to EduTech’s website for good password hygiene recommendations:
https://www.edutech.nd.gov/services/powerschool
I’ve seen PowerSchool Maintenance Remote Support activity in my PowerSchool logs from an IP address of 91[.]218[.]50[.]11 with a user “Rayson Cruz” and a case number of “10101010”. Has my PowerSchool instance been impacted?
Most likely. A Remote Support connection from the IP address of 91[.]218[.]50[.]11 with the user “Rayson Cruz” is one of the primary indicators of compromise. A review of logs will need to be performed to determine if the student and teacher table was successfully exported.
NDIT and EduTech have been performing their own review of PeopleSoft logs to ensure we understand the full scope of the incident. We are reaching out to School Districts that we believe to be impacted. If you have not already been contacted, please reach out to NDIT EduTech for more information.
I’ve seen PowerSchool Maintenance Remote Support activity in my PowerSchool logs with a user “Mike Jackson” and a case number of “audit”. Has my PowerSchool instance been impacted?
Most likely. PowerSchool has confirmed that they did establish a remote support connection to impacted customer PowerSchool SIS instances to retrieve audit logs and fully understand the scope of impacted individuals. If you are seeing a remote connection with the user “Mike Jackson” and a case number of “audit”, this was PowerSchool retrieving audit logs from your PowerSchool instance as part of their incident response investigation.
PowerSchool has mentioned that CrowdStrike is producing a forensic report that they will share. Will this report be shared with Schools?
Yes, if allowed. NDIT will be asking PowerSchool for a copy of the report and will share the report with K12 stakeholders unless usage of the report is restricted or prohibited by PowerSchool.
Do I need to notify NDIRF even if I don’t know if my school district was impacted?
EduTech is contacting each school district to confirm if your school district was impacted by the cyber incident. If you have not been contacted, please contact EduTech.
If EduTech confirms you were impacted, NDIRF has requested you to contact them.