North American school software provider PowerSchool has reportedly paid a ransom to prevent attackers from releasing stolen data of students and teachers.
A message to parents by the Howard-Suamico School District in Wisconsin, US, seen by news outlet NBC 26, read: “PowerSchool confirmed that this was not a ransomware attack but it did pay a ransom to prevent the data from being released.”
Infosecurity reached out to PowerSchool but it did not comment on whether it has made such a payment.
In a letter to customers on January 7 notifying them of the breach, PowerSchool said it had taken all appropriate steps to prevent the data involved from further unauthorized access or misuse.
A PowerSchool spokesperson told Infosecurity, "PowerSchool believes the data has been deleted without any further replication or dissemination."
PowerSchool was acquired by private investment firm Bain Capital in October 2024. It’s software solutions support over 60 million students and over 18,000 customers in more than 90 countries.
Compromised Credential Causes Breach
PowerSchool, which provides K-12 software and cloud-based solutions to schools in the US and Canada, revealed in the notification that a malicious actor gained unauthorized access to certain information through one of its community-focused customer support portals, PowerSource, on December 28, 2024.
This access was achieved through a compromised credential, the firm stated. The compromised credential has been deactivated, and all access to the affected portal has been restricted.
Additionally, a full password reset and further tightened password and access control has been conducted for all PowerSource customer support portal accounts.
PowerSchool confirmed that the information accessed relates to “families and educators.” The information compromised will vary by impacted customer, according to the notification.
The firm will conduct a notification process to identify and inform all impacted individuals over the coming weeks.
All adults affected will be offered free credit monitoring while identity protection services will be provided to minors in accordance with regulatory and contractual obligations.
The incident has been isolated to the PowerSource portal, meaning there is no operational disruption to schools.
“Importantly, the incident is contained, and we have no evidence of malware or continued unauthorized activity in the PowerSchool environment,” the firm said.
Law enforcement and relevant data protection regulators have been informed of the breach.
Shift from Ransomware to Data Extortion
The incident potentially relates to an observed shift in tactics by some ransomware groups to focus primarily on data exfiltration to extort victims in recent years, often not needing to deploy ransomware payloads to encrypt data.
Read now: Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
Spencer Starkey, Executive VP EMEA at SonicWall, said that schools and universities hold highly sensitive data which can be used by malicious actors to replicate students’ or staff members’ identities for financial crime.
This makes such data particularly ripe for extortion.
“An example of this is ransomware, cybercriminals are able to hold this data they steal from educational institutions for ransom for a high price,” said Starkey.