Months after paying a ransom to suppress the fallout of a major data breach, PowerSchool is facing renewed turmoil as threat actors have begun extorting individual school districts using the same stolen data.
The company confirmed that this is not a new incident, but a resurgence tied to the December 2024 breach, with attackers re-leveraging previously exfiltrated information.
The extortion campaign was first brought to light by school districts such as Toronto’s, which reported receiving ransom demands earlier this week. The Toronto District School Board, which serves over 240,000 students, said the threat actor presented data samples linked to the December breach, seeking additional payment. Similar reports have emerged from districts across North Carolina and other regions in North America.
The original intrusion was traced to a single compromised credential used to access PowerSource, a customer support portal for PowerSchool's Student Information System (SIS) platform. The attacker exploited this foothold to exfiltrate vast quantities of sensitive data — including names, birthdates, Social Security Numbers (SSNs), contact details, and limited medical information — from SIS environments used by schools in the U.S. and Canada. Though PowerSchool claims no malware was deployed and other product lines were unaffected, the scale of the exfiltration was significant.
PowerSchool, a major provider of cloud-based K–12 educational software, serves over 60 million students across thousands of schools. The December 2024 incident, according to third-party cybersecurity firm CrowdStrike, was confined to SIS instances but involved unauthorized export of data from student and teacher tables. Some of the largest school districts in North America were reportedly impacted, including Dallas ISD, Wake County Public Schools, and the Toronto board, with data sets going back over a decade.
In its latest announcement, PowerSchool reiterated that the renewed extortion is tied to the original breach and not the result of a new compromise. “Samples of data match the data previously stolen,” spokesperson Beth Keebler confirmed. The company disclosed that it had paid a ransom shortly after the breach, hoping the payment would prevent the public release of the data. While the attackers allegedly provided assurances that the stolen data had been deleted, the current round of extortion attempts confirms that at least some of the data remains in circulation.
Cybersecurity experts and law enforcement have long warned against ransom payments, emphasizing the lack of enforceability behind criminals' promises. In many cases, stolen data resurfaces later in new extortion campaigns or is sold on dark web marketplaces, leading to prolonged harm for victims.
To mitigate fallout, PowerSchool is offering two years of complimentary credit monitoring and identity protection to affected students and educators. The services are being provided via Experian and TransUnion, and are available to all individuals potentially impacted, regardless of whether sensitive identifiers like SSNs were included in their specific records.
PowerSchool continues to work with U.S. and Canadian law enforcement and has issued notifications to all SIS customers.
Leave a Reply