In a troubling development for the education technology sector, PowerSchool has publicly confirmed its payment of a ransom aimed at preventing the release of stolen personal data belonging to students and teachers across the U.S. and Canada. This decision follows a new wave of extortion attempts by cybercriminals who contacted various school district clients with threats related to a data breach that occurred in December 2024.
“PowerSchool sincerely regrets these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” the company stated in an update issued on May 7.
The latest extortion attempts involved sample data that PowerSchool identified as being part of the previously compromised information. The firm asserted that this does not signify a new breach but rather an ongoing exploitation of the December incident. Notably, the unnamed threat actor appears to have retained access to the stolen data, despite earlier promises to delete it following the ransom payment.
In the aftermath of the incident, PowerSchool disclosed that they opted to pay the ransom shortly after individual school districts found themselves once more under threat. “We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, and one which our leadership team did not make lightly,” the company explained.
Discovery of this situation led to speculation in January, fueled by communications from the Howard-Suamico School District in Wisconsin. “PowerSchool confirmed that this was not a ransomware attack, but it did pay a ransom to prevent the data from being released,” the district informed parents, implicitly acknowledging the severity of the situation while sidestepping the 'ransomware' label.
Looking Ahead
Looking Ahead
Looking Ahead
This scenario exemplifies a critical lesson in the cybersecurity landscape: paying a ransom does not assure recovery or protection from future breaches. A recent study by Cybereason highlighted this alarming trend, revealing that approximately 78% of organizations that comply with ransomware demands experience subsequent attacks, often from the same perpetrators.
Dr. Darren Williams, the Founder and CEO of BlackFog, emphasized, “In this case, even after a ransom was paid, attackers reportedly continued targeting individual school districts for additional payouts. That’s the harsh reality of double extortion: once data is stolen, threat actors hold the upper hand indefinitely.” He added that the evolution of ransomware tactics, particularly the focus on data theft, complicates detection and defense measures.
PowerSchool initially notified its clients of the breach on January 7, 2025. This breach was instigated by a compromised credential linked to a customer support portal, allowing unauthorized access to sensitive information.
By the Numbers
By the Numbers
The stolen data comprised various personal details from current and former students and educators, including names, dates of birth, contact information, and Social Security Numbers. Fortunately, it appears that no banking or credit card information was compromised during this incident.
Law enforcement agencies in the United States and Canada have been alerted to the breach, reflecting the seriousness with which PowerSchool views the situation. As a key player in K-12 educational software and cloud solutions, the firm serves over 60 million students and has more than 18,000 clients in over 90 countries. PowerSchool was acquired by Bain Capital in October 2024 in a bid to enhance its educational resources and technological offerings.
While the ramifications of this breach are still unfolding, it underscores the need for organizations, especially those in education, to bolster their cybersecurity frameworks to protect sensitive data and address the persistent threat from cybercriminals.
