PowerSchool Hacker Begins Targeting School Districts with Extortion Demands
PowerSchool has confirmed that the threat actor behind its December 2024 cyberattack is now reaching out to individual school districts with extortion demands. The company stated that the attacker is threatening to release sensitive student and faculty data unless paid.
“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,”
— PowerSchool statement to BleepingComputer
According to PowerSchool, this is not a new breach, and the data used in the extortion matches what was previously stolen. The company has informed law enforcement in both the U.S. and Canada and is working with affected schools.
“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.”
School Districts Across North America Impacted
School boards now facing extortion attempts include:
- North Carolina districts
- Toronto District School Board (TDSB) – the largest in Canada
A letter sent to TDSB parents confirms that the attacker contacted the school board, revealing the data had not been destroyed despite earlier claims.
“Earlier this week, TDSB was made aware that the data was not destroyed… [We] received a communication from a threat actor demanding a ransom using data from the previously reported December 2024 incident.”
— TDSB letter to parents
Details of the December 2024 PowerSchool Breach
PowerSchool initially disclosed the breach in January 2025, stating that attackers accessed its PowerSource customer support portal using compromised credentials. This allowed the hackers to use a remote maintenance tool to download entire school district databases.
These databases contained varying types of sensitive information per district, including:
- Full names of students and faculty
- Home addresses and phone numbers
- Login passwords
- Parent and emergency contact information
- Social Security numbers
- Medical records
- Student grades
Though the breach was detected on December 28, 2024, investigation later showed the unauthorized access started as early as August and September 2024.
Scale of the Data Theft and Ransom Payment
The hacker claimed to have stolen data affecting:
- 62.4 million students
- 9.5 million teachers
- Across 6,505 school districts in the U.S., Canada, and other countries
PowerSchool admitted in a customer-only FAQ that it had paid a ransom to prevent the data from being published. The attacker provided a video showing data deletion, but it is now clear the data still exists.
“It was a difficult decision… but we thought it was the best option for preventing the data from being made public.”
Re-Victimization Reflects Broader Trend in Cyber Extortion
Security experts continue to warn that paying ransom does not guarantee data deletion, as there’s no way to verify whether stolen data is truly destroyed.
This tactic has been seen in other major cases:
- UnitedHealth’s Change Healthcare attack, where a ransom was paid, yet the attacker returned for a second extortion
- BlackCat ransomware gang exit scam, where affiliates retained stolen data after payment
The PowerSchool hack now serves as another example of the long-term consequences facing organizations even after ransom is paid.
