One of the largest providers of education tech paid off hackers so that they wouldn’t publish tens of millions of children’s personal information. But school districts are facing extortion attempts anyway.
The company, PowerSchool, missed a basic cybersecurity step, according to a cybersecurity audit obtained by NBC News, and was hacked last year, leading to one of the largest breaches to date of American children’s personal data. PowerSchool reportedly paid an undisclosed sum to the hackers in exchange for a video of them purporting to delete the files they had stolen, which included some students’ Social Security numbers and other information, like health and disciplinary records.
But “a threat actor” is using that stolen data to try to extort schools and school districts in both the U.S. and Canada, according to statements from PowerSchool and various school districts issued Wednesday.
“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” PowerSchool wrote in a statement Wednesday. “We do not believe this is a new incident, as samples of data match the data previously stolen in December.”
Public schools across North Carolina received extortion emails Wednesday morning, North Carolina Department of Public Instruction Superintendent Mo Green said in a public bulletin. The threat actor appears to have students’ and staffers’ names, contact information, birthdays, medical information, parental information, and in some cases Social Security numbers, he said.
Several Canadian school authorities have announced they are also among the victims, including the Peel District School Board in Ontario and the Toronto District School Board. The Calgary Board of Education also issued a warning to parents this week based on communication it had received from PowerSchool.
It was not immediately clear who was behind the current extortion attempt. PowerSchool said it believes that the threat actor is using data stolen from the original incident last year, indicating that the original hackers either are behind the current attempts or kept the data and made it accessible to other people.
“We have reported this matter to law enforcement both in the United States and in Canada and are working closely with our customers to support them. We sincerely regret these developments– it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool’s statement said.
“As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” it said.
It is not clear if other American school districts had been victims of the renewed extortion attempt. PowerSchool declined to name victims, saying only that it was aware of “multiple school district customers.” A majority of U.S. states have at least one school district that was affected by the original breach.
PowerSchool is one of the largest companies in the educational technology industry, which became particularly widespread during the Covid pandemic and uses software to streamline school processes. One of its primary programs helps school districts track students, and the company servers stored information like their names, family members, addresses and birthdays.
Leave a Reply