PowerSchool customers hit by downstream extortion threats
Five months after education software vendor PowerSchool paid an unnamed threat actor a ransom in exchange for the deletion of sensitive stolen data, some of the company’s customers are now receiving extortion demands.
A threat actor, who may or not be the same criminal group behind the attack, has contacted four school district customers of PowerSchool in the past few days, CyberScoop has learned, threatening to leak data if they don’t pay.
The downstream extortion attacks highlight the ongoing risk organizations confront when a vendor is hit by a cyberattack, exposing not just their data but also that of others in their supply chain. The follow-on extortion attempts also underscore that paying ransoms for data does not guarantee stolen data won’t be leaked.
“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident,” a company spokesperson said Wednesday in a statement. “We do not believe this is a new incident, as samples of the data match the data previously stolen in December.”
The company did not say how much it paid in ransom. “We made the decision to pay a ransom because we believe it to be in the best interest of our customers and the students and communities we serve,” the spokesperson said.
“We thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action,” the spokesperson added. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”
PowerSchool provides a suite of cloud-based software — including a student information system — to K-12 schools and districts, supporting more than 60 million students and 18,000 customers in over 90 countries. The company says its customers include more than 90 of the 100 largest school districts in the United States.
The company identified suspicious activity in the PowerSchool Student Information System on Dec. 28 of last year. CrowdStrike, which already provided endpoint detection-and-response software and a threat-hunting service to PowerSchool, began an investigation into the circumstances behind the attack the following day.
The unnamed attacker gained access to PowerSchool’s system with a compromised credential for a support user in the company’s PowerSource support portal. The level of access granted to a support technician includes “sufficient permissions to gain access to customer SIS database instances for maintenance purposes,” CrowdStrike said in an investigation report it released in late February.
The threat stole data from the “teachers” and “students” tables of the PowerSchool SIS instances for certain PowerSchool customers between Dec. 19 and Dec. 23, according to CrowdStrike’s report. The incident response firm said it found no evidence of system-layer access or malware, and nothing to indicate PowerSchool customer IT environments outside of PowerSource and PowerSchool SIS were compromised or at risk of intrusion due to the attack.
CrowdStrike found evidence of earlier unauthorized activity in the PowerSchool environment associated with the compromised support credentials between Aug. 16 and Sept. 17, but it couldn’t attribute this activity to the threat actor responsible for the malicious activity in December 2024.
The last evidence of threat actor activity occurred Dec. 28, when the attacker “used the compromised support credentials to log in to the maintenance interface of PowerSource to interact with PowerSchool SIS,” CrowdStrike said in the report.
PowerSchool customers have contacted the company to inform it of the recent extortion demands and threats.
“We have reported this matter to law enforcement both in the United States and in Canada, and are working closely with our customers to support them,” the company spokesperson said. “We sincerely regret these developments — it pains us that our customers are being threatened and re-victimized by bad actors.”
