{
	"id": "1af71420-e123-4a66-b8dd-28da746f61d7",
	"created_at": "2026-04-06T00:10:59.026194Z",
	"updated_at": "2026-04-10T03:19:58.11305Z",
	"deleted_at": null,
	"sha1_hash": "3d4e48d89cf23d3d982b608031c65a7ad15cb1ff",
	"title": "PowerSchool hacker now extorting individual school districts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2573692,
	"plain_text": "PowerSchool hacker now extorting individual school districts\r\nBy Lawrence Abrams\r\nPublished: 2025-05-07 · Archived: 2026-04-05 16:50:33 UTC\r\nPowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening\r\nto release the previously stolen student and teacher data if a ransom is not paid.\r\n\"PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them\r\nusing data from the previously reported December 2024 incident,\" PowerSchool shared in a statement to BleepingComputer.\r\n\"We do not believe this is a new incident, as samples of data match the data previously stolen in December. We have\r\nreported this matter to law enforcement both in the United States and in Canada and are working closely with our customers\r\nto support them. We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.\"\r\nhttps://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nPowerSchool apologized for the ongoing threats caused by the breach and says they will continue to work with customers\r\nand law enforcement to respond to the extortion attempts.\r\nThe company also recommends that students and faculty take advantage of the free two years of credit monitoring and\r\nidentity protection to protect against fraud and identity theft. More details about this can be found in the company's security\r\nincident FAQ.\r\nPowerSchool also reflected on their choice to pay the ransom demand, stating that it was a difficult decision but hoping it\r\nwould protect its customers.\r\n\"Any organization facing a ransomware or data extortion attack has a very difficult and considered decision to make during\r\na cyber incident of this nature. In the days following our discovery of the December 2024 incident, we made the decision to\r\npay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,\"\r\ncontinued the PowerSchool statement.\r\n\"It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option\r\nfor preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with\r\nthese situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that\r\nwere provided to us.\"\r\nSome of the school districts being individually extorted by the threat actor are those in North Carolina and the Toronto\r\nDistrict School Board (TDSB), which is the largest school board in Canada.\r\n\"Earlier this week, TDSB was made aware that the data was not destroyed. TDSB, along with other North American school\r\nboards, received a communication from a threat actor demanding a ransom using data from the previously reported\r\nDecember 2024 incident,\" reads a letter to parents.\r\nThe PowerSchool data breach\r\nIn January, PowerSchool disclosed that it suffered a breach of its PowerSource customer support portal through\r\ncompromised credentials. Using this access, the threat actors utilized a PowerSource remote maintenance tool to connect to\r\nand download the school district's PowerSchool databases.\r\nThese databases contained different information depending on the district, including students' and faculty's full names,\r\nphysical addresses, phone numbers, passwords, parent information, contact details, Social Security numbers, medical data,\r\nand grades.\r\nThe breach was initially detected on December 28, 2024, but the company later revealed that it was breached months earlier,\r\nin August and September 2024, using the same compromised credentials.\r\nAs first reported by BleepingComputer, the hacker claimed to have stolen the data of 62.4 million students and 9.5 million\r\nteachers for 6,505 school districts across the U.S., Canada, and other countries.\r\nIn a FAQ only accessible to customers and seen by BleepingComputer at the time, PowerSchool confirmed that they paid a\r\nransom to prevent the data from being released and received a video from the threat actor claiming the data had been\r\ndeleted. However, it appears now that the threat actor did not keep their promise.\r\nSecurity experts and ransomware negotiators have long advised against companies paying a ransom to prevent the leaking of\r\ndata, as threat actors are increasingly failing to keep their promise to delete stolen data.\r\nUnlike a decryption key, which companies can confirm works, there is no way to adequately verify that data is deleted as\r\npromised.\r\nThis was recently seen in UnitedHealth's Change Healthcare ransomware attack, in which they paid a ransom to the\r\nBlackCat ransomware gang to receive a decryptor and not leak data.\r\nhttps://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/\r\nPage 3 of 4\n\nHowever, after BlackCat pulled an exit scam, the affiliate behind the attack said they still had the data and extorted\r\nUnitedHealth once again.\r\nIt is believed that UnitedHealth paid a second ransom to once again prevent the leaking of the data.\r\nUpdate 5/7/25: Added some of the districts being individually extorted.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/\r\nhttps://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/"
	],
	"report_names": [
		"powerschool-hacker-now-extorting-individual-school-districts"
	],
	"threat_actors": [],
	"ts_created_at": 1775434259,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d4e48d89cf23d3d982b608031c65a7ad15cb1ff.pdf",
		"text": "https://archive.orkl.eu/3d4e48d89cf23d3d982b608031c65a7ad15cb1ff.txt",
		"img": "https://archive.orkl.eu/3d4e48d89cf23d3d982b608031c65a7ad15cb1ff.jpg"
	}
}