PowerSchool Data Breach: Hackers Paid, Data Still Being Extorted

PowerSchool, one of the largest education technology providers in North America, is under scrutiny after confirming it paid cybercriminals a ransom following a major data theft, only for the attackers to continue extorting affected school districts. Discovered in December 2024, the breach is said to have occurred after attackers accessed the system using stolen login credentials. PowerSchool currently serves over 60 million K-12 students and 10 million teachers.
The intruders exfiltrated a wide range of data, including names, dates of birth, Social Security numbers, contact details, and limited medical information. Unlike typical ransomware attacks, no encryption was involved. Instead, the attackers threatened to leak the data unless a ransom was paid. In a controversial move, PowerSchool opted to pay the extortion demand, hoping to secure the deletion of the stolen data. However, subsequent reports suggest the criminals did not keep their promise. Several school districts, most notably the Toronto District School Board, have since received direct extortion emails from cybercriminals claiming to possess the same data.
The Toronto District School Board (TDSB) clarified that while it doesn’t store Social Insurance Numbers or financial data in PowerSchool, it remains concerned about the broader implications of the breach. The incident has reignited debate over the effectiveness of paying ransoms in response to cyberattacks.
Cybersecurity experts stress that prevention is more important than the cure. “Paying ransoms rarely guarantees safety or data deletion,” said one analyst. “Once data is stolen, the damage is already done. The only real solution is to harden systems before an attack happens.”
The breach has placed renewed pressure on the edtech sector to prioritize stronger security practices, particularly around credential management and third-party risk mitigation.
As the investigation continues, impacted institutions are urging vigilance and closer scrutiny of digital access controls. In the meantime, Otonata recommends immediate audits of credential management systems to close off the most common paths for intruders.