PowerSchool Ransomware Attack: Schools Face Further Extortion

PowerSchool Data Breach: Extortion Attempts Continue

Despite a ransom payment made months ago by the educational software company PowerSchool to eliminate stolen student data, at least one school district is now facing extortion demands.

The threat actor claims the data was not, in fact, destroyed as promised.

Initial Breach and Ransom Payment

PowerSchool, a provider of K-12 software utilized by thousands of schools and supporting 60 million students in North America, experienced a security incident in December 2024.

Access was gained through a single compromised credential, granting the hacker extensive access to personally identifiable information (PII) belonging to students and teachers.

This included sensitive data such as Social Security numbers and health records.

The company opted to pay a ransom with the intention of securing the deletion of the stolen data, though the exact amount remains undisclosed.

New Extortion Attempts Surface

Toronto’s district school board, serving approximately 240,000 students annually, recently reported receiving an extortion communication.

The communication originated from a threat actor utilizing data from the previously reported breach.

Similar extortion notes have been received by other schools across North America, including locations within North Carolina, according to local news reports.

PowerSchool's Response and Concerns

PowerSchool confirmed the initial ransom payment, stating it was considered the most effective course of action to prevent public disclosure of the data.

However, cybersecurity experts and law enforcement agencies generally advise against paying ransoms.

There is no assurance that hackers will uphold their end of the bargain regarding data deletion.

Past incidents have demonstrated that some groups retain stolen data for future revictimization attempts.

Ongoing Investigation and Impact

A statement from PowerSchool, shared with customers and reviewed by TechCrunch, acknowledges awareness of the extortion attempts.

The company believes the current activity stems from the December 2024 breach, as data samples align with previously stolen information.

Beth Keebler, a PowerSchool spokesperson, indicated to TechCrunch that this is not considered a new incident.

The full extent of the data breach, including the number of affected individuals, has not yet been determined.

Several school districts have reported that “all” of their historical student and teacher data was compromised.

Scope of the Data Exposure

In Toronto, the compromised records extend back to at least 2009, potentially impacting millions of individuals.

This highlights the long-term implications of the initial data breach and the continued risk to affected parties.