Despite ransom payment, PowerSchool hacker now extorting individual school districts

An education tech giant that was hacked in December said Wednesday that the same threat actor is now attempting to use the stolen data to extort the individual school districts that it works with.

PowerSchool — which was breached in late December, exposing the sensitive personal data of more than 60 million K-12 students and more than nine million teachers — had previously said the incident had been “contained” and that it had paid a ransom.

At the time, PowerSchool expressed confidence the incident was resolved, telling Bleeping Computer the hacker shared a video which purported to show the data being deleted.

By Wednesday, it had become clear that was wishful thinking.

The company posted a statement on its website saying it is “aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident.”

PowerSchool said it does not believe the hacker has obtained new data because samples of the data being used in the new extortion attempt matches the material taken in December. 

Four school boards were contacted with the extortion requests, according to a source familiar with the investigation. PowerSchool did not immediately respond to a question from Recorded Future News about how many of their customers were extorted.

The company said it has reported the latest incidents to law enforcement in the U.S. and Canada and is supporting clients who have been targeted.

“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” the statement said.

Referring to the video the hacker shared after PowerSchool paid him months ago, Wednesday’s statement said that even though the company made the difficult decision to pay a ransom, as is “always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

In February, Recorded Future News reported that the breached data in some cases includes student special education status, mental health details, disciplinary notes and parental restraining orders.