Introduction

In December 2024 [1] [2] [3] [4] [5] [7] [8], PowerSchool [1] [2] [3] [4] [5] [6] [7] [8], an education technology provider [4] [6] [8], experienced a significant cyberattack that compromised sensitive data of millions of students and educators across North America. The breach, initiated through a stolen credential, led to the exposure of personally identifiable information and subsequent extortion attempts. This incident highlights the vulnerabilities in cybersecurity practices and the complexities involved in handling such breaches.

Description

Education technology provider PowerSchool confirmed it paid an undisclosed ransom shortly after a significant cyberattack on December 28, 2024, which was initiated through a single stolen credential used to access PowerSource, its customer support portal for the Student Information System (SIS) platform [1]. This breach compromised sensitive personally identifiable information of over 62 million students and 9 million educators across the US and Canada, affecting more than 6,500 school districts [5]. The stolen data included names, birthdates [1], Social Security numbers [1] [3] [5] [6] [7], addresses [1] [5] [6], contact information [2] [3] [6], medical notes [3], and historical records dating back to 2009 [7]. Although the breach affected numerous school districts [3], only four districts reported receiving ransom threats [3], with incidents noted from North Carolina to Toronto [3].

Following the initial attack, the Toronto District School Board (TDSB) reported a renewed cyber threat [4], receiving a new extortion message that prompted the activation of its cybersecurity response plan [4]. PowerSchool revealed that a threat actor targeted multiple school district customers [8], sending ransom demands via email in an attempt to extort them using data from the breach. The hacker provided a video claiming to show the deletion of stolen data but resurfaced [4], demanding another ransom from TDSB and other school boards [4], asserting possession of sensitive data from the initial breach [4]. Reports suggest that the group ShinyHunters may be involved [2], as indicated by a message referencing a major hack in the education sector [2]. PowerSchool stated that the current threat appears to be a continuation of the original incident [4], as the data samples in the extortion attempts match those stolen in December [4].

Despite earlier assurances that the compromised data would be destroyed, it became evident that the hackers did not fulfill their promise, as they continued to attempt extortion. Reports indicate that at least one school district [7], Toronto’s district school board [1] [2] [4] [7], is now facing extortion attempts from a threat actor claiming that the stolen data was not deleted [7]. Other schools across North Carolina have also received similar extortion notes [7]. The company described the decision to pay the ransom as “very difficult,” emphasizing it was made in the best interest of its customers and the communities it serves [3]. However, the North Carolina Department of Public Instruction criticized PowerSchool for its previous assurances regarding data destruction [3], stating that the company is responsible for the breach and that there was little the education department or schools could have done to prevent it [3].

The incident underscores that paying a ransom does not guarantee the safety of stolen data or protection from further attacks [8]. A 2024 study by Cybereason found that 78% of victims who paid a ransom were targeted again [8], often by the same attackers [8]. Experts caution against paying ransoms [7], as there is no guarantee that hackers will fulfill their promises to delete stolen data [7]. Even after the ransom was paid [8], attackers continued to target individual school districts for additional payouts [8], illustrating the reality of double extortion [8]. In North Carolina [3] [6] [7], at least 20 school districts and the state Department of Public Instruction received multiple extortion emails from the hackers [6], prompting the state’s Superintendent of Public Instruction [6], Maurice Green [6], to indicate that information about the hackers’ demands would be shared with the state attorney general’s office for investigation [6].

In response to the ongoing threats, North Carolina plans to transition to competitor Infinite Campus [6], citing better cybersecurity practices [6]. PowerSchool has reported the extortion attempts to law enforcement in both the United States and Canada and is collaborating with affected schools while offering two years of complimentary credit monitoring and identity protection services to impacted students and staff through Experian and TransUnion, regardless of whether their specific records contained sensitive identifiers [1]. As investigations continue [4], TDSB and other affected school boards are evaluating their security measures and incident response strategies [4], while PowerSchool faces pressure to enhance its security and restore stakeholder trust [4]. Public backlash against PowerSchool has included multiple class action lawsuits [3], and the breach occurred after unauthorized access was gained through the PowerSource customer support portal [3], which lacked multifactor authentication [3].

Conclusion

The PowerSchool cyberattack serves as a stark reminder of the critical importance of robust cybersecurity measures in protecting sensitive information. The incident has led to significant repercussions, including extortion attempts [1] [4] [5] [6] [7], public backlash [3], and legal challenges. It underscores the need for organizations to implement comprehensive security protocols, such as multifactor authentication [3], and to remain vigilant against potential threats. As affected entities work to mitigate the impact and prevent future breaches, the education sector must prioritize cybersecurity to safeguard the data of students and educators.

References

[1] https://cyberinsider.com/powerschool-ransom-fallout-extortion-attempts-hit-schools-months-after-data-breach/
[2] https://hackread.com/powerschool-paid-ransom-now-hackers-target-teachers/
[3] https://www.k12dive.com/news/powerschool-data-breach-school-extortion-attempts/747690/
[4] https://thecyberexpress.com/powerschool-data-breach-leads-tdsb-extortion/
[5] https://www.techradar.com/pro/security/powerschool-hackers-return-and-may-not-have-deleted-stolen-data-as-promised
[6] https://www.the74million.org/article/powerschool-paid-off-hackers-after-huge-breach-now-theyre-extorting-districts/
[7] https://techcrunch.com/2025/05/08/powerschool-paid-a-hackers-ransom-but-now-schools-say-they-are-being-extorted/
[8] https://www.infosecurity-magazine.com/news/powerschool-ransom-payment/