Fraud Management & Cybercrime,
Incident & Breach Response,
Ransomware
After Vendor Paid for Data-Deletion Promise, Criminals Extort Schools Directly
In a troubling turn of events, PowerSchool, a provider of widely used K-12 student information systems, has found itself at the center of a cybersecurity crisis following a data breach last December. After succumbing to extortion and paying a ransom to attackers in exchange for their assurance to delete the stolen data, the promise has proven to be empty. The fallout began with a notification to affected schools, students, and parents indicating that the cybercriminals had not, in fact, deleted the compromised data.
Five months after the breach, an IT administrator in a school district reached out with alarming news: the attackers retained access to the stolen data, which PowerSchool had hoped would become inaccessible upon payment. This revelation aligns with an update from the vendor, which warned customers that new extortion attempts linked to the December incident were underway, indicating a direct continuation of the threat.
PowerSchool’s communication marks a pivotal admission regarding its decision to pay the ransom, emphasizing that this was done to protect student and faculty information from public exposure. The firm acknowledged the inherent risks associated with such actions, citing a well-known reality in cybersecurity: that criminals may not honor their agreements.
As outlined in the alert, the stolen data reportedly includes sensitive personal information, such as names, Social Security numbers, and other identifying details, specifically affecting individuals in North Carolina, where the state government has actively warned school districts about ongoing extortion efforts related to PowerSchool. This situation underscores a pattern where attackers leverage stolen data for further financial gain, consistently disregarding any prior assurance to erase it.
From a tactical perspective, adversaries in this case may have employed several MITRE ATT&CK techniques throughout the attack. Initial access likely came through compromised credentials or vulnerabilities within the software, leading to persistent threats that allowed for continued access to sensitive data. Techniques related to privilege escalation and lateral movement could have been used to navigate the network and obtain further information after the initial breach.
Despite expert recommendations against appeasing cybercriminals, victims continue to find themselves in precarious situations where paying the ransom seems like the best option. However, this escalates the cycle of attacks, as observed in high-profile cases involving other companies that have similarly fallen victim to extortion. The continued willingness of organizations to capitulate to demands inadvertently fuels the cybercrime economy.
Although it is challenging to predict whether future data leaks will occur, the precedent suggests that criminals may leverage the data withheld even after a ransom is paid. Cybersecurity analysts maintain that paying does not guarantee the promised deletion of data, thus reinforcing the need for organizations to strengthen their cybersecurity frameworks and consider alternatives to compliance with ransom demands.
The PowerSchool incident serves as a stark reminder for all sectors, especially educational institutions that handle sensitive information. Organizations must adopt a proactive approach towards data security and incident preparedness to mitigate risks associated with potential breaches and avoid being ensnared in the cycle of extortion.
Updated May 8, 21:39 UTC: This article has been revised to acknowledge instances where some cybercrime entities may ultimately refrain from leaking data post-payment.
