School districts nationwide sue PowerSchool amid data breach extortion attempts
PowerSchool, one of the nation’s largest education tech providers, is being sued by school districts across the country after a December 2024 data breach opened the door for ongoing extortion…
PowerSchool, one of the nation’s largest education tech providers, is being sued by school districts across the country after a December 2024 data breach opened the door for ongoing extortion attempts.
The data breach allowed hackers to obtain sensitive information on students and staff alike, including Social Security numbers, health and contact information, and disciplinary records; now, school districts are receiving extortion threats in which the data is held for ransom.
According to PowerSchool, however, a ransom was already paid when the data breach first occurred at the end of 2024.
“Any organization facing a ransomware or data extortion attack has a very difficult and considered decision to make during a cyber incident of this nature,” PowerSchool explained in an early May statement, adding that the company chose to pay a ransom “because we believed it to be in the best interest of our customers and the students and communities we serve.”
“As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the statement added.
PowerSchool has assured disgruntled school districts that the extortion attempts are likely coming from the original hackers, but has little evidence to assuage mounting concerns the data has already been sold on the Dark Web.
“In our conversations with PowerSchool, they have indications it is the same threat actor, but they cannot verify that,” said Vanessa Wrenn, chief information officer of the North Carolina Department of Public Instruction. “What we do know is that data is not destroyed, and it is out there.”
The data breach has impacted thousands of students and their schools, including some of the largest in the nation. Memphis-Shelby County Schools, the largest district in Tennessee, says the data of 487,267 current and former students and 23,903 members of staff and faculty were compromised.
William Shinoff, an attorney representing the school districts in their lawsuit, called out PowerSchool for what the schools are perceiving as negligence leading to the data breach.
“The education community reasonably relied on PowerSchool’s claims of privacy and security, but the software provider breached numerous contractual and legal duties it owed Memphis-Shelby schools and other districts across the country,” Shinoff stated.
