One of the largest data breaches in U.S. educational history is worsening, as the attacker behind the December 2024 cyberattack on PowerSchool is now directly extorting affected schools, threatening to leak sensitive student and teacher data unless ransom payments are made.
PowerSchool, a widely used student information system (SIS) platform across American K–12 institutions, confirmed that the breach compromised. Data belonging to over 60 million students and 9.5 million educators. Initially believed to have been resolved after PowerSchool paid an undisclosed ransom to the attackers in exchange for a video showing the data’s deletion, the situation has taken a dramatic turn. The data was not deleted as promised, and schools are now receiving direct threats.
Breach Details: How It Happened
According to PowerSchool, the breach occurred on 28 December 2024, when bad actors exploited vulnerabilities in PowerSource, the company’s customer support portal. This allowed unauthorized access and data exfiltration from multiple school environments using the PowerSchool SIS.
The type of information stolen varies by individual but may include:
- Full names and contact details
- Dates of birth
- Social Security Numbers
- Limited medical alerts
- Other sensitive personal information
What PowerSchool Is Offering
In response to the breach and subsequent threats, PowerSchool is offering two years of complimentary identity protection and credit monitoring services through Experian for affected individuals, including minors. Enrollment must be completed by 31 July 2025, using the activation codes provided in the official notice.
For individuals 18 and older:
- Activation Code: CTYU949PRK
- Engagement Number: B138812
For individuals under 18:
- Activation Code: CEBP456TRK
- Engagement Number: B138813
Both plans include monitoring for fraud, dark web surveillance, identity restoration support, and $1 million in identity theft insurance.
Why PowerSchool Paid Up
PowerSchool acknowledged that it initially chose to pay the ransom in the hope of protecting its users and preventing the release of data. The company expr
The company expressed regret over its decision, saying it had few options, and was under pressure. “In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve.
“It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”
No Evidence of Identity Theft (Yet)
As of now, PowerSchool reports that there is no confirmed evidence of identity theft linked directly to the breach. However, security experts warn that stolen personal information, especially that of minors, may not surface immediately but could be used in fraud schemes for years.
Affected individuals are urged to remain vigilant, monitor financial accounts, and be wary of any suspicious communications. PowerSchool emphasized that it will never ask for personal information by phone or email.
To Pay or Not to Pay
Ngoc Bui, Cybersecurity Expert at Menlo Security, said while paying ransoms might incentivize threat actors, the reality is that not paying a ransom could be more damaging, particularly for entities involved in critical infrastructure. “The disruption from ransomware can be disastrous, and organizations of all sizes must prioritize protecting both operations and stakeholders. Organizations that suffer a ransomware attack should also use it as a learning opportunity to fine-tune their security measures and ensure they are using actionable intelligence to do so.”
The brutal truth we must face is that attackers know that if an organization has succumbed to ransomware attack and paid a ransom, it is more likely to pay again to keep a data breach from becoming public, added Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue. “As defenses against ransomware locking devices and data improve, I expect that we may see the predominate revenue stream from the malware reverting to data theft/extortion.”
“When faced with a ransomware attack, organizations are faced with a difficult decision – whether or not a ransom should be paid,” said Darren Guccione, CEO and Co-Founder at Keeper Security. “Paying a ransom to release their data may seem like the simplest solution, however, it is often illegal and only fuels the explosive growth of this criminal activity. Also, in this instance and many other cases, paying a ransom doesn’t guarantee the cybercriminal’s illicit activities will end. Cybercriminals often receive payment and subsequently leverage the stolen files to further monetize their value.”
Generally, a payment absent proper responsive cybersecurity protection increases the probability of a future attack, as cybercriminals now know they will pay the ransom, Guccione added.
No Guarantee of Safety
This situation with PowerSchool is yet another unfortunate reminder that paying a ransom does not guarantee safety, it only perpetuates a cycle of criminal leverage and broken promises, added Heath Renfrow, CISO and Co-founder at Fenix24. “While I understand the emotional and operational pressure that leads organizations to pay, the PowerSchool case demonstrates why this route is fraught with long-term consequences.”
Renfrow said he has seen multiple examples where paying the ransom resulted in either:
- Data being leaked anyway, sometimes months later, as extortion groups double-dip or sell the data despite prior agreements,
- A return visit from the same threat actor, who now knows the organization is willing to pay,
- Or the emergence of third-party victimization, where clients, partners, or students — in this case — are individually targeted.
“Paying may provide a short-term illusion of control, but it undermines long-term recovery and resilience. The FBI’s advice to avoid paying ransoms exists for good reason, there is no enforceable contract in cybercrime, only hope and high risk,” said Renfrew. “Instead, the better path is investing in immutable backups, hardening identity infrastructure, and accelerating restoration timelines so organizations don’t have to choose between business survival and ethics. The PowerSchool fallout should drive home the message: trusting cybercriminals is a losing bet.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.