School districts that were affected by a PowerSchool data hack in December are now facing extortion attempts by cyber criminals, according to the K-12 ed-tech company.
PowerSchool, which runs the most commonly used student information system in U.S. schools, had a cybersecurity breach that exposed the sensitive personal information of millions of students and educators.
While there are only a couple of reports so far of school district customers receiving extortion threats, there could be many more to come, said Doug Levin, a school cybersecurity expert and the national director of the K12 Security Information Exchange. All schools affected by the initial data breach need to be prepared, he said.
“We may have just heard about the tip of the iceberg, and there may be more extortion demands coming,” Levin said.
In the days following that December cybersecurity incident, PowerSchool paid a ransom in exchange for the deletion of the stolen data, because the company “thought it was the best option for preventing the data from being made public,” according to a statement from PowerSchool. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”
Since then, a “threat actor,” to use a word from cybersecurity parlance, who may or may not be the same criminal group behind the December attack, has contacted several school district customers of PowerSchool recently in an attempt to coerce them using data that the perpetrators claim is from the December incident, according to PowerSchool.
One of the primary ways hackers try to make money from the data they steal is through cyber extortion, or threatening to release data publicly if the victim doesn’t pay them money.
The company said it has notified all PowerSchool customers and is working with law enforcement in both the United States and Canada to address the problem.
“We do not believe this is a new incident, as samples of data match the data previously stolen in December,” a PowerSchool spokesperson said in its statement. “We sincerely regret these developments—it pains us that our customers are being threatened and re-victimized by bad actors.”
How one state is handling the new cybersecurity threat
In North Carolina, where all public school districts and charter schools use PowerSchool’s student information system, dozens of Department of Public Instruction employees and local school district staff members were among those who received extortion emails from the threat actor, said Maurice Green, the state superintendent, in a May 7 press conference. The hacker asked for Bitcoin in exchange for the stolen data, said Vanessa Wrenn, the department’s chief information officer, during the press conference.
“North Carolina Department of Public Instruction has not and certainly will not engage with these threat actors,” Green said. The department is advising local districts to do the same and report any new extortion emails to the department, which is handling all regulatory and law enforcement reporting on behalf of districts.
“I do want to express my regret to our students, parents, teachers, and school and district members that have been affected by this incident,” Green said. “I want you all to know that we support you and are working to ensure that your personal information isn’t further compromised.”
Green and Wrenn underscored that there was nothing the North Carolina Department of Public Instruction or local school districts could have done to prevent the December hack and that the responsibility lies with PowerSchool.
To support districts, staff, and families, the department has provided templates for communication, spreadsheets of the information compromised in the December hack, and a website with information on how those affected can enroll in identity protection, Wrenn said.
PowerSchool is providing two years of free credit monitoring and identity protection services for students and faculty affected by the December data breach.
North Carolina’s contract with PowerSchool expires this summer and its new student information system vendor will be Infinite Campus, which the state board of education selected in 2023, before the cybersecurity breach.
“We have deeply investigated Infinite Campus’ security practices, and we are pleased with how they are designed,” said Wrenn.
How schools should respond to, and prepare for, an extortion threat
If a school, district, or state education agency learns of an extortion threat against their school systems related to the PowerSchool data breach, they must notify their entire school community that they might receive emails or other communications from the threat actor, said Levin. As in North Carolina, cybercriminals won’t necessarily just email the superintendent, he said, and staff must know not to respond to any extortion attempts.
“It’s important for people to understand that these extortion demands may go far and wide,” Levin said. “It’s important not to show that the recipient of any of these messages is an active account and has an interest in the issue, because then you could become a greater target yourself.”
Staff should be instructed to immediately alert district leadership if they receive any such message, and district leadership should then notify law enforcement, Levin said.
Cybercriminals might also attempt to contact parents and students, he said, so districts should also tell them not to engage.
For districts that were affected by the December data breach but haven’t received an extortion threat, they should consider getting ahead of the issue and communicating with staff, families, and students about what to do if they receive an extortion message from a cybercriminal, said Levin.
It is important for every PowerSchool customer affected by the December data breach “to be vigilant and on the lookout for any sorts of communications from threat actors related to this incident,” he said.
