PowerSchool Paid Off Hackers After Huge Breach — Now They’re Extorting Districts

Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter

Cybercriminals demanded ransom payments from school districts nationwide this week, using millions of K-12 students’ sensitive data as leverage after the files were stolen from education technology giant PowerSchool in a massive cyberattack late last year. 

The hackers’ new demands for bitcoin payments, emailed to school officials across the country seemingly at random over the last several days, undercut the ed  tech behemoth’s decision to pay an unspecified ransom in December to prevent the sensitive records from being shared publicly. In exchange for the payment, the company said hackers provided a video of them deleting some of the stolen files, which include records with some 62.4 million students’ and 9.5 million educators’ personal information.

It appears the cybercriminals — perhaps predictably — didn’t keep their end of the bargain. 

In North Carolina, employees of at least 20 school districts and the state Department of Public Instruction received dozens of extortion demand emails from the hackers, officials said during a Wednesday evening press conference. Superintendent of Public Instruction Maurice Green said information about the hackers’ demands to local educators will be shared with the state attorney general’s office, which is investigating the fallout from the December attack. 

“At the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,” Green said. “Unfortunately, that, at least at this point, is proving to be incorrect.” 

The company, which Boston-based private equity firm Bain Capital acquired for $5.6 billion in October, has faced a barrage of lawsuits since it acknowledged the attack in January. The latest escalation could open it to greater legal exposure. 

In a statement Wednesday, PowerSchool acknowledged the threat actors’ direct outreach to schools “in an attempt to extort them using data” stolen during the December breach. Samples of data supplied to school leaders “match the data previously stolen in December,” the company said. 

It referred to a “difficult decision,” one its leadership team “did not make lightly,” to pay the ransom demand in the days after the attack, believing it was the best option to protect students’ records. Exposed files include Social Security numbers, special education records and detailed medical information.

“As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the company said in a statement on Wednesday. “We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.”

Vanessa Wrenn, the chief information officer at the North Carolina Department of Public Instruction, said school officials were contacted “through various emails,” including to both their work and personal email addresses, seemingly based on the hackers’ ability to find their contact information online. Wrenn said state officials had been in contact with educators in Oregon, who received similar demands. In Toronto, Canada, school officials told parents Wednesday they were “made aware that the data was not destroyed” when the threat actor contacted them directly. 

“We could not find any type of trend in who they picked to email. We tend to think it’s emails that they could publicly find and contacted that person,” Wrenn said. “This exact same communication has been sent to other school districts and other states across the United States today and yesterday and broadly across the globe two days earlier.” 

Though they confirmed just a subset of districts received the ransom demands, she said the situation puts the data of all students statewide at risk because all North Carolina public districts currently rely on PowerSchool’s student information system. 

That’s about to change. Green said the state’s contract with PowerSchool ends in July and officials have chosen to migrate to competitor Infinite Campus — in part because of its promise of better cybersecurity practices. 

“It is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants,” Green said. “we are, as I mentioned earlier, working closely with law enforcement to do everything we can do to ensure that the responsible parties are held accountable for their actions.”

PowerSchool said it reported the latest extortion attempt to law enforcement in the United States and Canada and is working “closely with our customers to support them.”

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter