The threat actor previously responsible for breaching education technology firm PowerSchool is now targeting individual school districts, threatening to publicly release sensitive student and staff information unless a ransom payment is made.
The original breach, which was reported by PowerSchool in early 2025, exposed data from various school systems. PowerSchool had initially paid a ransom, expecting the attacker would delete the stolen data, however it is clear that the threat actor kept the data from the original breach and is now targeting schools directly.
PowerSchool has confirmed that these extortion attempts stem from the earlier breach. The company is working with law enforcement in the U.S. and Canada, and is also collaborating with impacted schools to help them respond effectively.
To support affected individuals, PowerSchool is offering two years of free credit monitoring and identity theft protection. The company continues to investigate the scope of the incident and is reinforcing its security measures.
Source: Bleeping Computer
Analysis
PowerSchool is a popular cloud-based solution used by thousands of schools to manage student enrollment, communication, staffing, and finance functions. It stores personal information like Social Security Numbers, and grades associated with millions of students and teachers across thousands of school districts in the U.S. and Canada.
This scenario demonstrates why it’s generally not advised to pay a ransom to cybercriminals in exchange for the non-disclosure of breached data. Often, just like in this case, threat actors simply retain the stolen data and re-sell or expose it at a later time, leaving organizations at risk of a second breach.
Although it can feel like paying the ransom is the easiest solution, doing so only fuels the criminal activity, emboldening the attackers to continue targeting other organizations. Complying with ransom demands effectively encourage more attacks and contributes to the broader cybersecurity threat landscape.
Organizations should instead focus on improving their defenses, engaging law enforcement, and leveraging cybersecurity experts to handle the breach, as paying the ransom rarely leads to a satisfactory resolution and can perpetuate the cycle of cybercrime.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor for threats emanating from breaches like that involving PowerSchool. Field Effect MDR Complete users will be automatically notified if any of their personal information is disclosed as a result of this breach and are encouraged to review any related AROs and/or monthly dark web monitoring reports via the Field Effect portal as soon as possible.
To counter the threat posed by leaked credentials and other sensitive and personal information, Field Effect strongly encourages organizations to implement a dark web monitoring capability.
Related Articles