After Hacking 62 Million Kids, PowerSchool Attackers Extort Teachers
The largest hacking incident of US schools continues to unfold, with teachers across the country facing threats from hackers who have stolen sensitive data from the education tech platform PowerSchool.
In December 2024, a devastating breach compromised the personal information of an estimated 62 million children and 9.5 million teachers via PowerSchool, one of the largest ed-tech platforms used by schools nationwide. The company confirmed the attack and paid an undisclosed ransom in exchange for a video of the hackers deleting the data, which has now been revealed did not occur.
"As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us," says PowerSchool. "We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors."
The stolen data varies by school, but information such as student and parent names, ethnicity, home addresses, GPAs, email addresses, and Social Security numbers were exposed. The hackers are now requesting additional ransoms from individual schools for this data, as one Toronto district outlined in a letter this week to parents and guardians.
"In this case, even after a ransom was paid, attackers reportedly continued targeting individual school districts for additional payouts," says Dr. Darren Williams, CEO of ransomware prevention platform BlackFog. "That's the harsh reality of double extortion: once data is stolen, threat actors hold the upper hand indefinitely."
PowerSchool claims that the fresh threats do not contain new data and that there is no evidence of another breach. The company has reported incidents from "multiple school districts" to law enforcement in the US and Canada.
"It's unclear if anything can be done to stop the threat actors, whose identity remains unknown," says Dr. Williams. "Threat actors know that victims are likely to pay under pressure, allowing them to push the limits to get the most money per incident."
PowerSchool has over 18,000 clients, covering 75% of K-12 students across North America and 60 million in the US. It is a public company, acquired by Bain Capital in 2024 for $5.6 billion.
The Consequences of Double Extortion
As seen in this case, double extortion is becoming an increasingly common tactic used by hackers to maximize their gains. Once data is stolen, threat actors hold the upper hand indefinitely, leaving victims with no choice but to pay up.
"This type of extortion can have devastating consequences for schools and districts," says Dr. Williams. "Not only do they lose valuable data, but they also face financial pressure from hackers who are essentially holding them hostage."
A Growing Concern
The PowerSchool breach highlights the growing concern of ransomware attacks on education institutions. As ed-tech platforms become increasingly popular, the risk of cyberattacks grows.
With over 18,000 clients and 60 million students covered, PowerSchool is one of the largest targets in the history of ransomware attacks. The fact that hackers are now extorting teachers for additional ransoms underscores the gravity of this situation.
A Call to Action
As schools and districts struggle to come to terms with the aftermath of this breach, there is a growing need for action. Governments, law enforcement agencies, and ed-tech companies must work together to prevent similar incidents in the future.
"We need to take a proactive approach to protecting our students' data," says Dr. Williams. "This includes implementing robust security measures, educating employees on cybersecurity best practices, and providing resources for affected schools and districts."