PowerSchool paid a hacker’s ransom, but now schools say they are being extorted

CodeCanyon · May 8

Months after the hacked education software maker PowerSchool paid a hacker’s ransom to delete the company’s banks of stolen student data, at least one school district says it is now being extorted by someone who said the data was not destroyed.

PowerSchool, which provides its K-12 software to thousands of schools to support 60 million students across North America, was hacked in December 2024 using a single stolen credential, which allowed a hacker broad access to PowerSchool’s stores of personally identifiable student and teacher data, including Social Security numbers and health data.

The company said at the time that it had paid the hacker a ransom to allegedly delete the stolen data, but it has repeatedly refused to disclose the sum it paid.

Now, Toronto’s district school board, which serves around 240,000 students each year, said in a statement that earlier this week it had “received a communication from a threat actor demanding a ransom using data from the previously reported incident.”

Several other schools in North America received extortion notes, including across North Carolina, per local media.

PowerSchool confirmed that it had paid the ransom at the time, saying the company “thought it was the best option for preventing the data from being made public.”

Some cybersecurity professionals and law enforcement have long discouraged victims from paying a ransom as there are no guarantees that the hackers will stick to their word when claiming to delete stolen data. As evidenced by past ransomware and extortion incidents, some gangs were later found to have retained huge amounts of stolen victim data, often to revictimize affected individuals with additional extortion attempts.

In a statement shared with customers this week, seen by TechCrunch, PowerSchool said it “recently became aware that a threat actor has reached out to some PowerSchool SIS customers in an attempt to extort them using data” from the December 2024 breach.

Beth Keebler, a spokesperson for PowerSchool, told TechCrunch that the company does not think this is a new incident because “samples of data match the data previously stolen in December.”

PowerSchool has not yet said how many individuals are affected by its data breach. Several school districts that used PowerSchool at the time of the breach told TechCrunch that “all” of their historical student and teacher data was compromised

In the case of Toronto’s school district, the stolen records date back to at least 2009 and are likely to affect millions of people.