Ransomware victim PowerSchool on Tuesday revealed that even after forking over alleged millions in ransom demand money, the attackers responsible for a massive breach of its system last December, have now turned to extorting the North American school districts that use the cloud software provider.
Apparently, it's the ransomware attack that keeps giving. The K-12 software provider, which serves over 60 million students across the US and Canada, posted an “Incident Update” on its website on Tuesday announcing the new extortion attempts.
“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” the California-based tech provider stated.
PowerSchool, which has already reported the fresh ransomware attacks to law enforcement, said it is now working with its customers to help mitigate the damage.
Founded in 1987, the company, which provides a slew of student data management and learning system products for over 15,000 schools in North America and beyond, also said it suspects the latest attacks stem from the original PowerSchool breach, discovered just before the 2025 New Year.
“We do not believe this is a new incident, as samples of data match the data previously stolen in December,” it said.
At least four school districts have been contacted by the unnamed ransomware attackers, according to a Reuters source, although none of the locations of those school districts have been identified.
“We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool wrote.
Dr. Darren Williams, Founder and CEO of ransomware prevention firm BlackFog says the PowerSchool breach “is a clear example of how ransomware has evolved beyond mere encryption.
“Today, it’s about data theft—and over 95% of publicly disclosed ransomware attacks now involve data exfiltration—making encryption-only attacks virtually obsolete,” he said.
Lesson learned: never pay a ransom demand
For many security professionals the fact that the attackers are using double extortion techniques to make even more money off the heist is not a surprise.
In fact, when PowerSchool first announced it had paid off its attackers – who “promised” the company it would delete all the files it had exfiltrated – security insiders could not help themselves but mock PowerSchool for its naivete. (And yes, that included Cybernews, you can read about it here.)
Williams pointed out that even after a ransom is paid, as in this case, the attackers continued to target individual school districts for additional payouts.
"That’s the harsh reality of double extortion: once data is stolen, threat actors hold the upper hand indefinitely," William said.
PowerSchool, at the time, actually announced it had a “video” proving that the stolen files were deleted from the hacker’s servers in exchange for the payment, falsely assuming the extortion game had ended.
The company, obviously feeling the need to address their previous ransomware faux pas, spoke about their “very difficult and considered decision” to pay the cybercriminals a ransom demand.
“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,” Powerschool said, claiming it was their best option for “preventing the data from being made public.”
Still, PowerSchool did acknowledge what most cybersecurity folk predicted back then – that “as is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”
Policy advocates for Canada’s Toronto District School Board were just one of the many districts and educational organizations in North America taking to X to alert students, parents, educators, and community members about the new developments, calling out the provider for its "sheer incompetence."
TDSB Data Breach Update from December 2024!
undefined Save Our Schools TDSB (@SOSTDSB) May 7, 2025
Sheer incompetence on the part of Powerschool and the TDSB IT Department (with a budget of $68million dollars)
undefinedPower schools has now confirmed that they have paid a ransom in an attempt to secure deletionundefined of impacted data from the… pic.twitter.com/Yy8XLOCtPx
Williams explained that the increased use of double extortion makes ransomware attacks harder to detect and defend against. "It’s not just about locking down systems anymore—it’s about identifying and stopping data from being exfiltrated in real time,” he said.
The CEO noted that the bigger issue here is the lack of clear guidance and regulation around ransom payments within the security industry.
“That ambiguity allows threat actors to push the limits, knowing that victims are likely to pay under pressure. Until we address the financial engine behind these attacks, we’ll keep seeing this pattern repeat," Williams said.
Dozens, if not hundreds, of school district systems in both the US and Canada were impacted as a result of the hacks.
Stolen data was said to have included a swath of personally identifiable information (PII) such as names, addresses, emails, phone numbers, dates of birth, student ID numbers, social security numbers, grade levels, school attended, limited medical alert information, residency status, and even disciplinary notes.
PowerSchool reported in January that it had since beefed up its security controls, deactivated compromised credentials, and reset passwords.
Your email address will not be published. Required fields are markedmarked