PowerSchool Pays Off Hacker, but Schools Allege Ongoing Extortion

Months following the ransomware incident involving the education software provider PowerSchool, which paid a hacker to regain control over a vast collection of stolen student data, at least one school district now claims to be facing extortion from an individual alleging that the data is still accessible.

PowerSchool, which provides K-12 software to numerous educational institutions, supports over 60 million students across North America. The company experienced a breach in December 2024 due to a compromised credential, allowing the hacker extensive access to databases containing personally identifiable information for both students and teachers, including Social Security numbers and health records.

At that time, the company revealed it had paid a ransom to supposedly eliminate the stolen data but has consistently refrained from disclosing the ransom amount.

Recently, the Toronto district school board, which serves around 240,000 students annually, reported that it had “received a communication from a threat actor demanding a ransom using data from the previously reported incident.”

According to local reports, many other schools across North America have also experienced similar extortion threats, particularly in North Carolina.

PowerSchool confirmed that it had made a payment to the hacker, explaining that the company “believed it was the best course of action to prevent the data from becoming public.”

Cybersecurity experts and law enforcement officials have long cautioned against paying ransoms, as there is no guarantee that hackers will honor their commitment to erase the compromised data. Historical instances of ransomware and extortion indicate that some malicious groups retain significant amounts of stolen data to target victims again with further demands.

In a statement provided to customers this week and reviewed by TechCrunch, PowerSchool noted that it has “recently become aware that a threat actor has contacted some PowerSchool SIS clients in an effort to extort them using data” from the December 2024 breach.

Beth Keebler, a spokesperson for PowerSchool, told TechCrunch that the company does not believe this represents a new incident, as “samples of the data correspond with the data previously stolen in December.”

PowerSchool has not yet disclosed the number of individuals impacted by the data breach. Several school districts that utilized PowerSchool during the breach reported to TechCrunch that “all” their historical student and teacher records were compromised.

In the Toronto school district, the stolen records extend back to at least 2009, potentially affecting millions of individuals.