PowerSchool Paid Ransom, Now Hackers Target Teachers for More

PowerSchool paid ransom after a major data breach; now hackers are targeting teachers and schools with direct extortion threats for more payment.

On December 28, 2024, education tech giant PowerSchool experienced one of the biggest data breaches in U.S. school history, compromising the personal information of over 60 million students and 9.5 million teachers. The company responded by paying an undisclosed ransom.

But the fallout didn’t stop there. Months later, hackers are now contacting schools directly, targeting teachers in particular, and threatening to leak stolen data unless more payments are made.

The breach began when attackers exploited PowerSource, a customer support portal linked to PowerSchool’s Student Information System (SIS). While the company believed paying the ransom would contain the damage, that hasn’t been the case. Hackers sent a video claiming to show the data being deleted, but continued extortion attempts suggest otherwise.

Now, schools are being pressured individually, with threats to release sensitive records unless new demands are met. According to a letter sent to parents, guardians, and caregivers, the Toronto District School Board (TDSB) confirmed it received a ransom demand from the attackers.

“Earlier this week, TDSB was made aware that the data was not destroyed. TDSB, along with other North American school boards, received a communication from a threat actor demanding a ransom using data from the previously reported December 2024 incident.”

Toronto District School Board (TDSB)

The exposed information varied widely depending on the school’s system settings, but it included names, contact details, birth dates, Social Security numbers, and even some medical alert data.

In response, PowerSchool’s data breach notice shows that the company is offering two years of free identity protection to those affected. Adults are eligible for credit monitoring, while services for minors include Social Security number tracking and dark web surveillance.

Affected individuals must enrol by July 31, 2025, using codes provided by Experian. More information is available on PowerSchool’s official security incident page.

PowerSchool has not publicly named the group behind the breach, but an interesting report by Dissent Doe of DataBreaches.net points to ShinyHunters as the likely culprit. This claim is based on a message ShinyHunters sent to Dissent, referencing a major hack targeting the education sector that would be “devastating if the victim did not pay up.”

Hackread.com has not been able to independently verify whether this is truly ShinyHunters (owners of currently offline BreachForums) or someone impersonating the group. We had previously communicated with ShinyHunters via Telegram, but the group has since gone silent there as well.

PowerSchool says the ransom payment was made in hopes of protecting schools and students. But security experts are warning that giving in to such demands may have only made matters worse.

The decision to pay the ransom follows the FBI’s 2015 advice to “just pay,” but goes against the agency’s later stance that it “does not support paying a ransom.”

Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue, says this situation highlights a troubling trend. “Cybercriminals know that if a ransom was paid once, it’s more likely to be paid again. As ransomware shifts from encrypting files to threatening public leaks, extortion becomes the main game.”

PowerSchool has stated it’s working with law enforcement and continuing to support affected institutions. However, there’s still no indication that the stolen data has been fully secured or that further attacks won’t happen.

According to WBTV News, North Carolina has decided not to renew its contract with PowerSchool in the wake of the massive data breach. Officials said the decision reflects growing concern over how the breach was handled and the ongoing risks tied to PowerSchool’s systems.

Those whose information was involved are encouraged to sign up for the provided protection services and monitor for unusual activity. PowerSchool has published full instructions for enrollment, with separate processes for adults and minors.

The company also advises against responding to unsolicited emails or phone calls asking for personal information, stressing that it will not reach out that way.

This breach is now one of the largest ever recorded in the education sector, and the long-term consequences remain unclear. One thing is certain, paying ransom is not the solution.