One of the largest suppliers of educational technology paid the computer pirates to not publish dozens of millions of children’s personal information. But school districts face extortion attempts anyway.
The company, PowerSchool, was lost a basic cybersecurity step, according to an audit of cybersecurity obtained by NBC News, and was pirated last year, which led to one of the largest infractions until the date of the personal data of US children. According to reports, Powerschool paid a sum not revealed to computer pirates in exchange for a video of them that intended to delete the files they had stolen, which included the social security numbers of some students and other information, such as health and disciplinary records.
But “a threat actor” is using this stolen data to try to extort schools and school districts both in the United States and Canada, according to PowerSchool statements and several school districts issued on Wednesday.
“Powerschool is aware that a threat actor has communicated with multiple clients of the school district in an attempt to extort them using incident data previously reported in December 2024,” Powerschool wrote in a statement on Wednesday. “We do not believe that this is a new incident, since data samples coincide with the data previously stolen in December.”
North Carolina Public Schools received extortion emails on Wednesday morning, said the Superintendent of the North Carolina Public Instruction Department, Mo Green, in a public newsletter. The threat actor seems to have students and staff names, contact information, birthdays, medical information, parents information and, in some cases, social security numbers, he said.
Several Canadian school authorities have announced that they are also among the victims, including the Peel District School Board in Ontario and the Toronto District School Board. The Calgary Education Board also issued a warning to the parents this week based on the communication he had received from Powerschool.
It was not clear who was behind the current extortion attempt. Powerschool said he believes that the threat actor is using stolen data from the original incident last year, indicating that the original computer pirates are behind the current attempts or maintained the data and made it accessible to other people.
“We have informed this matter to the police both in the United States and in Canada and we are working closely with our clients to support them. We sincerely regret these developments: it hurts that our clients are being threatened and revictimized by the bad actors,” said Powerschool’s statement.
“As always is the case with these situations, there was a risk that the bad actors did not eliminate the data that stole, despite the guarantees and evidence provided to us,” he said.
It is not clear if other American school districts had been victims of the renewed attempt at extortion. Powerschool declined to appoint the victims, saying only that he was aware of “multiple clients of the school district.” The majority of the United States states have at least one school district that was affected by the original violation.
Powerschool is one of the largest companies in the educational technology industry, which became particularly generally during the COVID pandemic and uses software to rationalize school processes. One of its main programs helps school districts to track students, and company’s servers stored information such as their names, family members, addresses and birthdays.
