Dive Brief:
- Threat actors are trying to extort some public schools by threatening them with teacher and student information stolen in a December 2024 data breach of PowerSchool’s Student Information System, according to recent statements from the ed tech software provider and the North Carolina Department of Public Instruction.
- PowerSchool confirmed on Wednesday that it paid a ransom to threat actors shortly after the Dec. 28, 2024, data breach. The company added that it believes the threat actors seeking ransoms from schools are using the same compromised data set from the December incident, which included student and staff names, contact information, some Social Security numbers, medical notes and a limited number of passwords.
- While PowerSchool’s December data breach appeared to impact a wide range of school districts across North America, a spokesperson on Friday told K-12 Dive that the threat actors have only contacted four school districts. Schools in locations ranging from North Carolina to Toronto began to report receiving such ransom threats this week.
Dive Insight:
For years, the FBI has advised schools and other organizations not to pay ransomware demands, because doing so can embolden threat actors and there’s no guarantee that stolen data will be recovered.
PowerSchool acknowledged in a Wednesday statement that it made a “very difficult decision” to pay a ransom after the December 2024 incident. The company said it thought paying a ransom was the best option for preventing the data from going public.
“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” PowerSchool said. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”
A PowerSchool spokesperson said the company is not disclosing how much it paid to the threat actor.
Meanwhile in North Carolina, the state’s education department pointed out in a Wednesday statement that PowerSchool had assured its customers five months ago that the data compromised in the December 2024 data breach was not shared and had been destroyed.
“Unfortunately, that has proven to be incorrect,” the North Carolina Department of Public Instruction said. “PowerSchool is the party responsible for the breach. There is nothing NCDPI, school districts or individual schools could have done to prevent these violations.”
The state education department added that it will not engage with the threat actors and that doing so would violate North Carolina law.
Additionally, the department said the incident appears to be a global cybersecurity incident impacting customers in multiple states and Canada. An FBI investigation into the matter is ongoing, according to NCDPI.
PowerSchool is working directly with the contacted schools and law enforcement, the company’s spokesperson said. The company is also providing free credit monitoring and identity protection services to students and staff.
Public pushback against PowerSchool since it announced the initial data breach in January has included multiple class action lawsuits. The company serves over 60 million students and 18,000 educational customers.
The data breach occurred after a threat actor gained unauthorized access to an unknown amount of student and staff data by infiltrating the company’s PowerSource customer support portal for district and school staff. PowerSchool previously confirmed to K-12 Dive that the same system lacked multifactor authentication — a standard and encouraged practice for securing sensitive data.
