PowerSchool Acknowledges Ransom Payment in Response to New Extortion Threats

Education technology provider PowerSchool has confirmed that it paid a ransomware demand to prevent cybercriminals from publishing stolen data belonging to teachers and students in the US and Canada.

The North American school software supplier acknowledged the payment following revelations that a threat actor had contacted multiple school district customers in a renewed effort to extort them using data compromised in the December 2024 incident. The data sample utilized in the extortion attempts corresponded with the information stolen during the earlier cyber incident, indicating that it was not a new breach.

It appears that the unnamed threat actor failed to delete the stolen data, contrary to promises made as part of the payment agreement. In an update dated May 7, PowerSchool expressed regret over the situation, stating, “It pains us that our customers are being threatened and re-victimized by bad actors.”

PowerSchool indicated that the decision to pay the ransom was made shortly after the incident’s discovery. The company’s leadership believed it was in the best interest of their customers, students, and the communities served. “It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action,” they commented.

The firm acknowledged the inherent risk with ransom payments, noting that they were aware the threat actor might not honor assurances to delete the stolen data. Rumors regarding the payment surfaced in January when a message from the Howard-Suamico School District in Wisconsin alluded to the confirmation that while this was not a ransomware attack, PowerSchool did pay a ransom to prevent data release.

Despite earlier denials, PowerSchool has not ruled out the possibility of the information being disseminated without their knowledge.

Payment of Ransom Offers No Security Assurance

This incident highlights a critical issue within cybersecurity: paying a ransom does not guarantee that stolen data will remain secure or that victims will be protected from subsequent attacks. A study conducted by Cybereason in 2024 revealed that 78% of victims who paid a ransom were subsequently targeted again, often by the same actors.

Dr. Darren Williams, Founder and CEO of BlackFog, pointed out, “In this case, even after a ransom was paid, attackers reportedly continued to threaten individual school districts for additional payouts. That’s the harsh reality of double extortion: once data is stolen, threat actors hold the upper hand indefinitely.” He further indicated that the shift in ransomware tactics towards data theft increases the chances of such occurrences.

“The trend of data theft, either concurrently with encryption or independently, complicates detection and defense against attacks. Organizations must focus not just on system fortification but also on preventing real-time data exfiltration,” Williams added.

Data Breach Origin and Impact

On January 7, 2025, PowerSchool formally notified its customers about the breach. They disclosed that a malicious actor had gained unauthorized access through compromised credentials associated with one of its customer support portals.

Subsequent updates revealed that the stolen information included a range of personal details about current and former students and educators, including names, contact information, dates of birth, limited medical alerts, and Social Security or Social Insurance numbers. However, there is no evidence to suggest that credit card or banking details were compromised.

The incident has been reported to law enforcement officials in both the United States and Canada. PowerSchool, which offers K-12 solutions and cloud-based services, serves an extensive user base, including over 60 million students and more than 18,000 customers across 90 countries. Following its acquisition by Bain Capital in October 2024, the company’s focus on enhancing cybersecurity measures has intensified.