PowerSchool has issued a critical warning regarding ongoing cybersecurity threats stemming from the December 2024 data breach, specifically about extortion attempts targeting educational institutions. The company disclosed that the hacker responsible is now individually extorting affected schools, demanding ransom in exchange for preventing the release of sensitive student and teacher data, which had already been compromised.
In a statement shared with BleepingComputer, PowerSchool confirmed, “We are aware that a threat actor has reached out to multiple school district customers to extort them using data from the previously reported December 2024 incident.” They emphasized that this is not a new breach, as the data being used for these threats matches what was stolen during the initial attack. PowerSchool has reported the situation to law enforcement agencies in both the United States and Canada, reiterating their commitment to supporting affected customers through this distressing situation.
PowerSchool expressed regret over the continuation of threats from the breach, assuring that they will collaborate with law enforcement to address the extortion attempts. The company has also advised students and faculty to utilize the complimentary two years of credit monitoring and identity protection services they are offering to mitigate risks related to fraud and identity theft. More information is available in the company’s security incident FAQ section.
Reflecting on their decision to pay the ransom, PowerSchool described it as a difficult but necessary choice aimed at safeguarding their customers. “Any organization facing a ransomware or data extortion attack must carefully consider its options during such incidents. In the days following our discovery of the December 2024 breach, we opted to pay a ransom, as we believed this was in the best interest of our customers and the communities we serve,” the statement continued. They acknowledged the inherent risks in this approach, including the possibility that the cybercriminals would not fulfill their promise to delete the stolen data.
### Overview of the PowerSchool Data Breach
The PowerSchool security incident, disclosed in January, involved a breach of its PowerSource customer support portal due to compromised credentials. Threat actors exploited this access to utilize a remote maintenance tool, enabling them to connect to and download sensitive databases from various school districts.
The databases varied by district but included critical information such as the full names, physical addresses, phone numbers, passwords, parent contacts, Social Security numbers, medical data, and academic records of students and faculty. Although the breach was detected on December 28, 2024, initial investigations revealed that the intrusion had begun several months earlier, in August and September of 2024, through the same compromised credentials.
As reported by BleepingComputer, the attackers claimed to have compromised the data of approximately 62.4 million students and 9.5 million teachers across 6,505 school districts in the U.S., Canada, and other nations. Following the breach, PowerSchool made the controversial decision to pay a ransom to avert the public release of sensitive information. Although the attackers provided a video purportedly confirming the deletion of the data, subsequent developments suggest otherwise.
Experts in cybersecurity and ransomware negotiations have consistently warned against paying ransoms, highlighting that cybercriminals are increasingly failing to uphold their end of the bargain concerning data deletion. As opposed to a decryption key, which can be verified for efficacy, there is no reliable method to confirm whether stolen data has been deleted as promised.
A recent example includes UnitedHealth’s Change Healthcare ransomware attack, where the organization paid a ransom to the BlackCat ransomware group for both a decryption tool and assurances against data leaks. However, after the group executed an exit scam, an affiliate claimed ownership of the data and extorted UnitedHealth again. Reports suggest that UnitedHealth may have agreed to pay a second ransom to prevent further leaks.
As the cybersecurity landscape evolves, organizations must remain vigilant and informed regarding best practices for data protection and incident response strategies. The PowerSchool breach serves as a stark reminder of the need for proactive measures against potential cyber threats, ensuring both the safety of sensitive information and the welfare of the communities they serve.