Threat actors behind the 2024 PowerSchool data breach continue to extort individual schools, despite the education software developer having already made a ransom payment.
“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” the company stated.
The cyber attack came to light on December 28, 2024, when PowerSchool detected unauthorized access to its systems, initiated incident response protocols, and launched an investigation with third-party cyber forensics.
The investigation determined that the data breach exposed personal details including the victims’ names, contact information, dates of birth, limited medical alert information, Social Security Numbers, and other related information.
However, the company assured affected customers that the stolen information had been deleted and would not be further exploited after paying the ransom.
PowerSchool confirms continued extortion after ransom payment
PowerSchool recently discovered that several affected schools have received new ransom payment demands despite having complied with the threat actors’ previous requests.
However, it ruled out the possibility of a new data breach based on data samples that the threat actors shared with the affected schools that matched previously stolen information. It also notified law enforcement authorities about the attempted cyber extortion.
“We do not believe this is a new incident, as samples of data match the data previously stolen in December. We have reported this matter to law enforcement both in the United States and in Canada and are working closely with our customers to support them,” said PowerSchool.
In a letter to parents, the Canadian Toronto District School Board (TDSB) has confirmed extortion attempts related to the PowerSchool breach.
“Earlier this week, TDSB was made aware that the data was not destroyed. TDSB, along with other North American school boards, received a communication from a threat actor demanding a ransom using data from the previously reported December 2024 incident,” the school board stated.
Meanwhile, PowerSchool has apologized for the attempted extortion and promised to continue working with the affected customers and relevant law enforcement authorities to resolve the incident. It also encouraged affected individuals to enroll for the two-year free credit monitoring service it provided by July 31, 2025, to protect themselves from fraud.
PowerSchool also justified its ransom payment decision, saying it believed complying with the threat actors’ demands was in the victims’ best interest.
“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” it said.
Ransom payment dilemma
While they discourage ransom payment, U.S. authorities advise companies to assess the risk and impact that data exposure could have on the company and victims before embarking on ransom payment.
Ngoc Bui, Cybersecurity Expert at Menlo Security, echoed the U.S. government’s concerns by stating that noncompliance with the threat actors’ ransom payment demands could be disastrous for critical organizations.
“While paying ransoms might incentivize threat actors, the reality is that not paying a ransom could be more damaging, especially for organizations involved in critical infrastructure,” said Bui. “The disruption from ransomware can be disastrous, and organizations of all sizes must prioritize protecting both operations and stakeholders. Organizations that suffer a ransomware attack should also use it as a learning opportunity to fine-tune their security measures and ensure they are using actionable intelligence to do so.”
However, Nic Adams, Co-Founder & CEO, 0rcus, slammed PowerSchool’s decision to pay the ransom and the FBI’s “horrible advice.”
“Paying was a major tactical misstep,” said Adams. “The attacker staged a deletion video, probably through container rollbacks or wiping decoy data. Real exfil likely sat offline, in cold storage, or routed through layered proxies.”
“Another example is Colonial Pipeline who paid but still had to rebuild infra. In multiple healthcare and government cases, data showed up weeks later,” added Adams. “In general, the FBI offers horrible advice, akin to taking lessons from a boxer who almost always keeps getting knocked out by amateurs.”
Once again, threat actors have proven that ransom payment does not guarantee that the stolen data will not be misused, sold, or used for subsequent extortion.
