PowerSchool data breach leads to school extortion attempts

Date postedMay 12, 2025
Industry,

By 

For years, the FBI has advised schools and other organizations not to pay ransomware demands, because doing so can embolden threat actors and there’s no guarantee that stolen data will be recovered.

PowerSchool acknowledged in a Wednesday statement that it made a “very difficult decision” to pay a ransom after the December 2024 incident. The company said it thought paying a ransom was the best option for preventing the data from going public. 

“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” PowerSchool said. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

A PowerSchool spokesperson said the company is not disclosing how much it paid to the threat actor. 

Meanwhile in North Carolina, the state’s education department pointed out in a Wednesday statement that PowerSchool had assured its customers five months ago that the data compromised in the December 2024 data breach was not shared and had been destroyed. 

“Unfortunately, that has proven to be incorrect,” the North Carolina Department of Public Instruction said. “PowerSchool is the party responsible for the breach. There is nothing NCDPI, school districts or individual schools could have done to prevent these violations.”

The state education department added that it will not engage with the threat actors and that doing so would violate North Carolina law.

Additionally, the department said the incident appears to be a global cybersecurity incident impacting customers in multiple states and Canada. An FBI investigation into the matter is ongoing, according to NCDPI.

PowerSchool is working directly with the contacted schools and law enforcement, the company’s spokesperson said. The company is also providing free credit monitoring and identity protection services to students and staff. 

Public pushback against PowerSchool since it announced the initial data breach in January has included multiple class action lawsuits. The company serves over 60 million students and 18,000 educational customers.

The data breach occurred after a threat actor gained unauthorized access to an unknown amount of student and staff data by infiltrating the company’s PowerSource customer support portal for district and school staff. PowerSchool previously confirmed to K-12 Dive that the same system lacked multifactor authentication — a standard and encouraged practice for securing sensitive data

https://www.k12dive.com/news/powerschool-data-breach-school-extortion-attempts/747690/

Categories

Most Recent Posts