Following a significant data breach, PowerSchool has reportedly paid a ransom, only to find hackers now targeting educational staff and institutions with direct extortion threats.
On December 28, 2024, PowerSchool, a prominent player in the education technology sector, suffered one of the largest data breaches in the history of U.S. schools, compromising sensitive information of more than 60 million students and 9.5 million educators. This incident was met with the company’s decision to pay an undisclosed ransom to mitigate the damage.
However, the repercussions of the breach have persisted. In the months following the incident, hackers have begun directly reaching out to schools, applying pressure on teachers and staff with threats to expose stolen data unless additional payments are made.
The breach’s entry point was traced back to PowerSource, a customer support portal linked with PowerSchool’s Student Information System (SIS). Although PowerSchool believed that paying the ransom would suffice to contain the fallout, ongoing extortion attempts indicate otherwise. Hackers even released a video alleging the deletion of the stolen data, yet subsequent communications suggest that their operations continue unabated.
School districts now face individual threats regarding the release of sensitive records unless new ransom demands are met. For instance, the Toronto District School Board (TDSB) has confirmed receiving such ransom demands from the attackers, as outlined in a communication to parents and guardians.
“Earlier this week, TDSB was made aware that the data was not destroyed. TDSB, along with other North American school boards, received communication from a threat actor demanding a ransom using data from the December 2024 incident.”
Toronto District School Board (TDSB)
What Data Was Compromised?
The compromised data varies significantly according to the school district’s system settings, encompassing names, contact information, birth dates, Social Security numbers, and even certain medical alert records.
In response to the breach, PowerSchool has initiated a data breach notice, offering two years of complimentary identity protection for those affected. Adults can access credit monitoring services, while minors are provided with Social Security number tracking and dark web surveillance. Enrollment must occur by July 31, 2025, utilizing codes provided by Experian.
Identifying the Attackers
While PowerSchool has not named the group responsible for the breach, reports suggest that the notorious hacking group ShinyHunters may be the culprits. This speculation arises from a message allegedly sent by ShinyHunters, indicating a significant hack aimed at the education sector with severe implications for non-compliant victims. However, verification of this claim remains pending due to the group’s silence in subsequent communications.
Implications of the Ransom Payment
The rationale behind PowerSchool’s ransom payment was to safeguard schools and students. Nevertheless, cybersecurity experts caution that complying with such demands may exacerbate the situation. This dilemma echoes the evolving guidance from the FBI, which now advises against paying ransoms after initially advocating for such actions in 2015.
According to Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue, this incident marks a troubling trend where initial ransom payments encourage subsequent attempts. “Cybercriminals recognize that a ransom paid once increases the likelihood of future payments,” he remarked, reflecting on the shift from file encryption to threats of public data leaks.
PowerSchool has affirmed its commitment to collaborating with law enforcement and supporting affected institutions. Nonetheless, it remains uncertain whether the compromised data has been fully protected or if additional attacks are imminent.
PowerSchool Faces Contract Termination
In light of the data breach, North Carolina has opted not to renew its contract with PowerSchool, citing concerns over the handling of the incident and the ongoing risks associated with the company’s systems. This decision reflects a broader skepticism toward PowerSchool’s capacity to ensure data security moving forward.
Recommended Actions for Stakeholders
Individuals impacted by the breach are urged to enroll in the provided identity protection services and vigilantly monitor for unusual activities. PowerSchool has disseminated detailed instructions for enrollment, differentiating between processes for adults and minors. The company emphasizes the importance of not responding to unsolicited communications seeking personal information, as it will not initiate contact in that manner.
This incident stands as one of the most significant breaches recorded in the education sector, with its long-term repercussions still unfolding. The clear takeaway is that yielding to ransom demands is not a viable solution for securing sensitive data.
