PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied

An education tech provider that paid a ransom to prevent the leak of stolen student and teacher data is now watching its school district customers get individually extorted by either the same ransomware crew that hit it – or someone connected to the crooks.

In December, PowerSchool – whose student information management system holds records on more than 60 million K-12 students (ages 5 to 18) primarily in North America – suffered an IT security breach: Extortionists used a compromised login credential to access and exfiltrate from its systems sensitive information on kids and adults.

The stolen data included names, contact information, dates of birth, some medical info, Social Security numbers, and other “related information,” the software vendor said at the time.

This wasn’t a traditional ransomware attack as no files were encrypted; instead, it was a simple data heist using a stolen cred. PowerSchool paid off the thieves to not just keep the purloined info under wraps but to delete all copies of it so that it could never be released and/or misused. The size of the ransom payment remains undisclosed.

Now, it turns out someone somehow still has a copy of the purloined data – or claims to have – and is trying to extort individual school districts whose info was stored in PowerSchool’s ransacked databases: Officials are under pressure to cough up ransoms or potentially face having their districts’ data leaked. The Toronto District School Board (TDSB), a PowerSchool customer in Canada, spelled out the situation this week, pouring doubt on whether the ransomware crew ever deleted the pilfered data as promised:

“TDSB does not store any Social Insurance Numbers, financial or banking information in PowerSchool, so that information was not affected in any way by the breach,” the board added.

As indicated, the Canadians are not alone. For example, school and state education employees in North Carolina reportedly also received messages from crooks claiming to have access to data stolen from the PowerSchool database breach. The message was simple: Pay up or else.

According to a PowerSchool spokesperson, these latest extortion attempts at least cite data that matches the information stolen in the December heist, and are not the result of a new intrusion. The biz says it’s working with law enforcement, and won’t be paying anything to the criminals this time around if asked.

“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” the spinner said in a statement Wednesday.

There was a risk that the bad actors would not delete the data they stole, despite assurances

“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action.”

The statement continues, wistfully, “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

PowerSchool said it will still be offering two years of credit monitoring for the estimated 60 million teachers and students caught up in the affair. Nevertheless, for school districts, this is proving to be a headache that won’t go away.

The case should also be a learning experience for anyone else who is tempted to pay a ransom to have their data deleted. Cybercrooks aren’t known for keeping their promises – a hard lesson for PowerSchool. ®

READ MORE HERE