One of the largest educational technology suppliers paid hackers so that they do not publish dozens of millions of children’s personal information. But school districts are facing extortion attempts anyway.
The company, PowerSchool, lost a basic cyber security step, according to a cyber security audit obtained by NBC News, and was invaded last year, leading to one of the greatest violations until the personal data of American children. PowerSchool would have paid an unveiled amount to hackers in exchange for a video of them intending to delete the files they had stolen, which included the social security numbers of some students and other information, such as health and disciplinary records.
But “an actor of threats” is using stolen data to try to extort schools and school districts in the US and Canada, according to PowerSchool statements and several school districts released on Wednesday.
“PowerSchool is aware that a threat actor has reached several clients in the school district in an attempt to extort them using incident data previously reported in December 2024,” PowerSchoool wrote in a quarter -bid. “We do not believe this is a new incident, as data samples correspond to the previously stolen data in December.”
Public schools across North Carolina received and Extortion emails on Wednesday morning, said the superintendent of the Public Instruction Department of North Carolina, Mom Green, in a public bulletin. The threat actor seems to have students and staff names, contact information, birthdays, medical information, parents information, and in some cases social security numbers, he said.
Several Canadian school authorities have announced that they are also among the victims, including the Peel District School Council in Ontário and the Toronto District School Council. The Calgary Education Council also issued a warning to parents this week based on the communication it received from PowerSchoool.
It was not immediately clear who was behind the current extortion attempt. PowerSchool said it believes that the threat actor is using stolen data from the original incident last year, indicating that the original hackers are behind current attempts or maintained the data and made it accessible to others.
“We report this subject to law enforcement in both the United States and Canada and we are working closely with our customers to support them. We sincerely regret these developments, it hurts that our customers are being threatened and reconnected by bad actors,” said PowerSchool statement.
“As it is always the case of these situations, there was a risk that bad actors did not exclude the data they stole, despite the guarantees and evidence that were provided to us,” he said.
It is unclear whether other US school districts were victims of the attempted renewed extortion. Powerschool refused to name victims, saying only that he was aware of “several clients in the school district.” Most US states have at least one school district that was affected by the original violation.
PowerSchool is one of the largest educational technology companies, which has become particularly widespread during Covid Pandemic and uses software to optimize school processes. One of its main programs helps school districts tracking students, and company servers stored information such as names, family members, addresses and birthdays.