K-12 software provider for 60M+ students naively pay hackers to erase stolen data


Power Schools, a K-12 software provider serving over 60 million students in North America, says it paid off the ransomware gang that hacked its systems in December to delete the files it stole – and they have the video to prove it.

The leading cloud-based software provider for over 15,000 schools throughout North America was apparently hacked by an unnamed ransomware group the week before Christmas. The attack was discovered just before the 2025 New Year.

That’s according to a snippet of the “Confidential” breach notification letter sent out to those affected by the incident and posted online by cybersecurity author and journalist Brian Krebbs.

ADVERTISEMENT

“On December 28th, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain information through one of our community-focused customer support portals,” PowerSchool wrote in the letter.

The threat actors gained access to the servers from "approximately December 19th through the 23rd," the software provider was reported to tell customers.

PowerSchool breach letter

The PowerSchool tech products help schools and districts manage a variety of tasks, including state reporting and compliance, special education, finance, human resources, talent, registration, attendance, funding, learning, and instruction, the company’s website states.

PowerSchool admits to paying ransom demand

Besides the lack of security measures that led to the “unauthorized party” gaining access to its networks, PowerSchool actually boasted of paying off the crooks responsible for stealing the files in an effort to keep the data from being leaked.

In fact, PowerSchool announced in the letter that they actually have proof that the stolen files were deleted from the hacker’s servers.

“We have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse,” the company said in the letter, adding that they also “have a video confirming deletion.”

ADVERTISEMENT

Furthermore, PowerSchool said it was “actively searching the dark web,” presumably to ensure the cybercriminals were making good on the purported ransom demand agreement between the two.

Krebbs, who couldn't help but comment on the absurdity of the claims, posted his thoughts about the matter on LinkedIn.

“PowerSchool, a provider of K-12 software and cloud solutions, had a breach over the holidays. But not to worry, they paid the cybercriminals who hacked them and they have a video of the crooks deleting the data,” he said.

"PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist. Thank goodness the threat actors are so reasonable, right?”

Krebbs ended the post with an “SMH,” meaning shake my head.

No honor among thieves

Besides the obvious oxymoron that you should never ‘trust a criminal,’ it is common knowledge in the cybersecurity world that most ransomware gangs these days use the double extortion business model.

This is when bad actors not only steal or encrypt your files in hopes of a ransom demand, but maintain a copy of those files for future extortion attempts.

ADVERTISEMENT

In other instances, the criminals will sell the sensitive data to other ransomware affiliates (leading to more extortion attempts) or post it for sale on dark markets or hacker forums, recycling the files as long as they bring in money sometimes even years later.

Furthermore, threat actors will often ‘rinse and repeat’ by either maintaining a stealth presence in a victim’s network or leaving a “backdoor” open to infiltrate the victim’s network systems a second time in the future.

Ernestas Naprys vilius Paulina Okunyte Niamh Ancell BW
Don’t miss our latest stories on Google News

For what its worth, PowerSchool did say it had brought in the third-party rapid incident response and breach management advisor Cyber Steward for guidance, noting that the security group had “deep experience in negotiating with threat actors.”

The company also reported that it has beefed up its security controls since the hack, including deactivating compromised credentials and resetting passwords.

The company further said that its customer-facing operations have not been disrupted, yet late Wednesday, school districts nationwide, from Alabama and North Carolina to Indiana and Wisconsin, have begun to report issues.

The stolen files primarily contain "contact details such as names and addresses. However, for some districts, it could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades,” according to a report by Bleeping Computer.

Although it's not clear how much data was stolen in the hack, the fact that it involves student data puts the incident at odds with many US government compliance regulations listed on its website, including the Family Educational Rights and Privacy Act (FERPA) and the Children's Onlne Privacy Protection Act (COPPA).

We wish PowerSchool the best of luck.

ADVERTISEMENT