PowerSchool, a major provider of K-12 software, faces renewed challenges following a significant data breach that occurred in December 2024. The platform now reaches over 60 million students throughout North America. Now, it has found itself in the middle of an extortion controversy that forced the resignation of several North Carolina school superintendents.
In December, that same database was hacked, exposing the massive database that holds their names, addresses, SSNs, and much more. They reached this sensitive personal trove—like Social Security numbers and health data—by hacking through just one stolen credential. PowerSchool has since determined that the data accessed in this breach has not been permanently removed. Unsurprisingly, new communications reveal that schools under attack are still dealing with active extortion attempts.
Beth Keebler, a spokesperson for PowerSchool, stated, “We recently became aware that a threat actor has reached out to some PowerSchool SIS customers in an attempt to extort them using data.” As you might expect, this announcement has sent shockwaves across the educational institutions that PowerSchool has deeply embedded into their operations.
Dozens of universities in North Carolina, including NC State, reported that they received ransom letters. Anonymous hackers are alleging to have information that PowerSchool was supposed to delete but didn’t. Unfortunately, the issue has reached alarming levels, with at least one school district recently verifying that it’s under extortion.
So did Toronto’s District School Board, which serves nearly a quarter million students each year, and it later confirmed receiving the same message. “We received a communication from a threat actor demanding a ransom using data from the previously reported incident,” the board stated.
In response to the breach, PowerSchool paid a ransom to delete the compromised student data, believing it was “the best option for preventing the data from being made public.” However, Keebler emphasized that the company does not consider the December 2024 incident to be new, as “samples of data match the data previously stolen in December.”
As the situation unfolds, schools and districts are grappling with the implications of the breach and the subsequent extortion attempts. The privacy threat continues to hang over PowerSchool and all of its vulnerable clients. This reality calls for immediate conversations about data privacy and the essential steps we must take to safeguard sensitive data in our rapidly evolving educational frontier.
Leave a Reply