Despite ransom payment, PowerSchool hacker now extorting individual school districts

Avatar

An education tech giant that was hacked in December said Wednesday that the same threat actor is now attempting to use the stolen data to extort the individual school districts that it works with.

PowerSchool — which was breached in late December, exposing the sensitive personal data of more than 60 million K-12 students and more than nine million teachers — had previously said the incident had been “contained” and that it had paid a ransom.

At the time, PowerSchool expressed confidence the incident was resolved, telling Bleeping Computer the hacker shared a video which purported to show the data being deleted.

By Wednesday, it had become clear that was wishful thinking.

The company posted a statement on its website saying it is “aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident.”

PowerSchool said it does not believe the hacker has obtained new data because samples of the data being used in the new extortion attempt matches the material taken in December. 

Four school boards were contacted with the extortion requests, according to a source familiar with the investigation. PowerSchool did not immediately respond to a question from Recorded Future News about how many of their customers were extorted.

The company said it has reported the latest incidents to law enforcement in the U.S. and Canada and is supporting clients who have been targeted.

“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” the statement said.

Referring to the video the hacker shared after PowerSchool paid him months ago, Wednesday’s statement said that even though the company made the difficult decision to pay a ransom, as is “always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

In February, Recorded Future News reported that the breached data in some cases includes student special education status, mental health details, disciplinary notes and parental restraining orders.

NewsNews BriefsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

South African Airways says cyberattack disrupted operational systems

Next Post

Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT

Related Posts

Go-Based Malware Deploys XMRig Miner on Linux Hosts via Redis Configuration Abuse

Cybersecurity researchers are calling attention to a new Linux cryptojacking campaign that's targeting publicly accessible Redis servers. The malicious activity has been codenamed RedisRaider by Datadog Security Labs. "RedisRaider aggressively scans randomized portions of the IPv4 space and uses legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems,"
Avatar
Read More