Do Son 
The hacker behind the high-profile cyberattack on PowerSchool in December 2024 has begun directly extorting individual school districts across the United States and Canada, demanding ransom payments in exchange for withholding the disclosure of previously stolen data. The threats have now extended beyond the company itself, ensnaring dozens of schools that remain hostages to the breach despite attempts to stop the perpetrator last year.
PowerSchool has confirmed it is aware of the extortion attempts targeting its clients and emphasized that these threats are not the result of a new attack, but rather the reexploitation of data stolen during the incident reported on December 28. However, subsequent investigations revealed that the attackers had infiltrated the system as early as August and September, using compromised credentials to gain access to the PowerSource client portal. From there, they connected to a remote administration tool and exfiltrated databases from educational institutions.
The contents of these databases varied by school but often included full names of students and staff, addresses, phone numbers, passwords, parental contact information, Social Security numbers, medical records, and even academic performance. According to statements made by the hacker, they are now in possession of data concerning 62.4 million students and 9.5 million educators from over 6,000 institutions across the United States, Canada, and other countries.
Following the breach, PowerSchool made the difficult decision to pay the ransom in an effort to prevent the data from being leaked. In return, the attacker provided a video allegedly demonstrating the deletion of the stolen information. As is often the case, however, the criminal failed to honor the agreement. The data is now being weaponized for targeted blackmail against individual schools—a scenario already confirmed by the Toronto District School Board, Canada’s largest school district, whose representatives have informed parents of receiving a ransom demand threatening to release confidential information.
PowerSchool has acknowledged that the decision to pay was agonizing, but company leadership maintains it was, at the time, the only viable course to protect its clients and their students. Nevertheless, cybersecurity experts stress that no assurance of data deletion can ever be deemed trustworthy—unlike decryption keys, the authenticity of which can be practically verified.
The company continues to cooperate with authorities in both the United States and Canada, urging affected individuals to take advantage of a free two-year credit monitoring and identity theft protection program. Yet this new wave of extortion underscores a harsh reality: even after the official resolution of a breach, both organizations and users remain in the crosshairs of malicious actors, and ransom payments rarely offer a lasting reprieve.
A similar pattern unfolded recently in the case of Change Healthcare, a subsidiary of UnitedHealth. There, too, attackers received a ransom payment in exchange for the deletion of stolen data—only to betray the agreement and demand further payment, threatening another data leak. In both incidents, the outcome is the same: compromised data becomes a tool of prolonged coercion, and victims are left not only financially burdened but increasingly powerless to reclaim control.
