On May 7, a Toronto school board and the North Carolina Department of Public Instruction announced that threat actors had recently contacted and attempted to extort school district employees. The messages, which reportedly demanded cryptocurrency payment in exchange for not releasing personal data, arrived months after a compromise of a popular K–12 software service called PowerSchool, which was used by the two organizations and millions of students.
“PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident. We do not believe this is a new incident, as samples of data match the data previously stolen in December,” a May 7 statement from PowerSchool began.
The ongoing disruption demonstrates a pair of disturbing trends: steady attacks on the education sector, and an increase in third-party compromises.
Hitting the books. According to a Center for Internet Security’s study between July 2023 and December 2024, 82% of surveyed K–12 organizations experienced “cyber threat impacts,” ranging from temporary shutdowns to limited access to files.
In findings published in May 2024, Comparitech found that the backpack of attacks is getting heavier: US K–12 school districts, colleges, and universities had experienced 3,713 data breaches since 2005, affecting more than 37.6 million records.
Education data breaches in 2023, Comparitech researchers found, impacted almost 4.3 million records—“a vast increase” on 2021’s and 2022’s figures, which were around 2.6 million.
Verizon’s latest Data Breach Investigations report found that the percentage of breaches involving a third party doubled compared to last year, from 15% to 30%.
PowerSchool provides cloud-based educational tools, like personalized learning and enrollment assistance, to “ 60+ million students,” its company site says.
A way in. On December 28, 2024, PowerSchool became aware of “unauthorized exfiltration of personal information from certain PowerSchool Student Information System (SIS) environments,” a March 2025 site bulletin shared. That info, according to the company, related to “current and former students and educators” and possibly included details like contact info, Social Security numbers, and “limited medical alert information.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“The record that you can obtain from a school is for a student that has a pristine credit history. So, these records are highly monetizable, because they can be abused for quite a long time before somebody actually finds out,” Mike Hamilton, field CISO at Lumifi Cyber and former CISO for the City of Seattle, told us.
The December 28 attack, according to recent findings from CrowdStrike, began with “compromised support credentials.”
Pay up, stay down? PowerSchool also admitted in a statement that it paid a ransom following the December incident. “We thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the company wrote on its site in May.
PowerSchool did not respond to IT Brew’s request for comment.
Ransomware payments have declined lately. Pros like Hamilton say paying ransoms incentivizes the adversary and may just allow a depressing cycle of cyber incidents to continue.
“When you pay that ransom, you’re going to try and put everything back together, but that doesn’t mean that you didn’t leave the same vulnerability in place that allowed them that initial access so you may get reattacked,” Hamilton said.