PowerSchool, one of the largest software providers to K-12 public education systems, is under a major security breach. This concern manifested itself following a data breach that occurred back in December of 2024. The company, which supports around 60 million students across North America, fell victim to a cyberattack that exploited a single stolen credential. The breach provided the hacker with broad access to highly sensitive personal data. This meant making Social Security numbers and health data available, not just for students, but for teachers as well.
After the breach, PowerSchool decided to ransom the hacker and delete the stolen data. Even bigger implications The company is now facing tumultuous backlash. Several affected school districts have received demanding notes stating that the data was not actually deleted as they claimed to have done.
Toronto’s district school board, which serves approximately 240,000 students each year, reported that it received a communication from a threat actor demanding ransom using data from the earlier incident. This shocking disclosure has sent waves of panic through other school districts that use PowerSchool’s proprietary software.
PowerSchool confirmed its awareness of the situation, stating, “recently became aware that a threat actor has reached out to some PowerSchool SIS customers in an attempt to extort them using data.” The company emphasized that paying the ransom was deemed a necessary measure to prevent the exposure of sensitive data, with representatives remarking, “thought it was the best option for preventing the data from being made public.”
Evidence continues to paint a troubling picture. Samples from the data used in the extortion attempt correspond with stolen information obtained in the breach in December. This has caused panic of additional fallout for educational institutions that have continued to depend upon PowerSchool’s services. Just last week, State Superintendent of North Carolina announced that they too would not be renewing their contract with PowerSchool. This decision reflects the state’s increasing worry over data safety.
This seemingly small incident has enormous ramifications. PowerSchool’s hack has led to similar ransom demands being issued to hundreds of K-12 schools and colleges in North America. The developing landscape has brought about much-needed conversations regarding cybersecurity and data protection practices in K-12 educational settings.
