PowerSchool and Charlotte-Mecklenburg Schools: PowerSchool returning to Charlotte-Mecklenburg Schools despite massive data breach in 2024

Charlotte-Mecklenburg Schools Reinstates PowerSchool Contract Despite 2024 Data Breach

Charlotte-Mecklenburg Schools (CMS) has approved a new one-year contract with PowerSchool, the education software provider behind a major 2024 data breach that exposed personal information of North Carolina students and teachers. The $347,000 agreement, finalized during a June 2025 Board of Education meeting, restricts PowerSchool’s use to district employees covering educator evaluations, professional development, and job application software while excluding student and parent data.

The breach, which prompted the North Carolina Department of Public Instruction to terminate its statewide PowerSchool contract in late 2024, led CMS to transition student records to Infinite Campus. Board Vice Chair Gregory “Dee” Rankin confirmed that Infinite Campus remains the district’s primary platform for grades, attendance, and student-related data, emphasizing no change in that system.

PowerSchool stated that its 2025 incident report guided security improvements, including investments in advanced protections and collaborations with regulators. The company’s limited role in CMS focused on HR functions like job applications and internal evaluations reflects a narrower scope post-breach. CMS clarified that PowerSchool’s tools remain in use by the state for educator assessments but are no longer tied to student data in the district.

Source: https://www.wbtv.com/2026/03/25/powerschool-returning-charlotte-mecklenburg-schools-despite-massive-data-breach-2024/

Charlotte-Mecklenburg Board of Education cybersecurity rating report: https://www.rankiteo.com/company/cms-boe

PowerSchool cybersecurity rating report: https://www.rankiteo.com/company/powerschool-group-llc

"id": "CMSPOW1774484702",
"linkid": "cms-boe, powerschool-group-llc",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Students and teachers in North '
                                              'Carolina',
                        'industry': 'Education',
                        'location': 'North Carolina, USA',
                        'name': 'Charlotte-Mecklenburg Schools (CMS)',
                        'type': 'Educational Institution'},
                       {'industry': 'Education Technology',
                        'name': 'PowerSchool',
                        'type': 'Software Provider'}],
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (student and teacher personal '
                                        'information)',
                 'type_of_data_compromised': 'Personal information'},
 'date_detected': '2024',
 'date_publicly_disclosed': '2024',
 'description': 'Charlotte-Mecklenburg Schools (CMS) experienced a data breach '
                'involving PowerSchool, an education software provider, which '
                'exposed personal information of North Carolina students and '
                'teachers in 2024. Despite the breach, CMS reinstated a '
                'limited contract with PowerSchool in June 2025 for HR-related '
                'functions, excluding student and parent data.',
 'impact': {'brand_reputation_impact': 'Yes',
            'data_compromised': 'Personal information of students and teachers',
            'identity_theft_risk': 'Yes',
            'operational_impact': 'Transition of student records to Infinite '
                                  'Campus',
            'systems_affected': 'PowerSchool education software'},
 'investigation_status': 'Ongoing (as of 2025)',
 'lessons_learned': 'Need for stricter data access controls and vendor '
                    'security assessments',
 'post_incident_analysis': {'corrective_actions': 'PowerSchool invested in '
                                                  'advanced protections and '
                                                  'collaborated with '
                                                  'regulators; CMS '
                                                  'transitioned student data '
                                                  'to Infinite Campus',
                            'root_causes': 'Insufficient security measures in '
                                           "PowerSchool's software"},
 'recommendations': 'Limit vendor access to sensitive data; enhance monitoring '
                    'of third-party software providers',
 'references': [{'date_accessed': '2025-06',
                 'source': 'Charlotte-Mecklenburg Schools Board of Education '
                           'Meeting'}],
 'regulatory_compliance': {'regulatory_notifications': 'North Carolina '
                                                       'Department of Public '
                                                       'Instruction terminated '
                                                       'statewide PowerSchool '
                                                       'contract'},
 'response': {'containment_measures': 'Exclusion of student and parent data '
                                      "from PowerSchool's scope",
              'remediation_measures': 'Transition to Infinite Campus for '
                                      'student records; security improvements '
                                      'by PowerSchool'},
 'stakeholder_advisories': 'North Carolina Department of Public Instruction '
                           'terminated statewide PowerSchool contract',
 'title': 'Charlotte-Mecklenburg Schools PowerSchool Data Breach',
 'type': 'Data Breach'}