Online education software provider PowerSchool on May 7 said the threat actors they paid a ransom to following a December 2024 cyberattack have reached out to multiple school district customers in apparent attempts to extort them in exchange for restoring stolen data.The original hack in late December reportedly exposed the sensitive personal data of more than 60 million K-12 students and more than 9 million teachers. At the time, PowerSchool said it contained the incident following the ransom payment.Security pros said the incident underscored that hackers have no ethics and paying a ransom doesn’t mean that a cyber incident has ended.”The PowerSchool ransomware breach is a textbook example of how paying a ransom doesn’t guarantee the end of a cyberattack — it often just opens the next chapter,” said Dave Meister, cybersecurity evangelist at Check Point Software. “In this case, the attackers are now turning their attention to PowerSchool’s customers, using stolen data to extort school districts directly. This kind of double-extortion tactic is becoming increasingly common, particularly in the education sector, where sensitive student and staff data can be leveraged for maximum pressure.”According to a report in The Record, four school boards were contacted with the extortion requests. PowerSchool did not offer any specific information about which school districts were approached.However, the company explained its decision to pay the ransom in its incident update:“In the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, and one which our leadership team did not make lightly. But we thought it was the best option for preventing the data from being made public, and we felt it was our duty to take that action. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”The data included names, contact information, dates of birth, limited medical alert information, Social Security numbers, Social Insurance Numbers, and other related information. PowerSchool said it had no evidence that credit card or banking information was involved.Check Point’s Meister added that for organizations to think they are “out of the woods” after paying a ransom — as PowerSchool did — is wishful thinking. Meister said hackers often retain the stolen data and continue to escalate pressure, as seen with Toronto’s school district, which was later targeted with more demands.“Even after payment, attackers may leverage the data to extort individual districts, or sell it on the dark web, prolonging the attack cycle and maximizing financial gain,” said Meister.Willy Leichter, chief marketing officer at PointGuardAI, said it’s actually easy to condemn ransom payments: they fuel a criminal economy and have become the go-to method for attackers to profit from cybercrime. But when the organization is paralyzed following an attack, the ransom often seems like a small price to pay compared with the cost of going out of business.“Desperation can lead to dangerous wishful thinking, including the naive belief that cybercriminals follow some kind of ethical code,” said Leichter. “In reality, these are opportunistic criminals who will squeeze every ounce of value from the data they’ve stolen. From a compliance perspective, once data is compromised, it’s a breach — period. Everyone should assume the worst. Claims that a breach has been ‘contained’ are meaningless, and no one should trust a vendor who insists their data has been ‘retrieved’ and is now safe.”Ngoc Bui, cybersecurity expert at Menlo Security, added that while paying ransoms might incentivize threat actors, the reality is that not paying a ransom could be more damaging, especially for organizations involved in critical infrastructure.“The disruption from ransomware can be disastrous, and organizations of all sizes must prioritize protecting both operations and stakeholders,” said Bui. “Organizations that suffer a ransomware attack should also use it as a learning opportunity to fine-tune their security measures and ensure they are using actionable intelligence to do so.”Darren Williams, founder and CEO of BlackFog, pointed out that once data is gone, it’s gone: the organization has lost control and the damage can continue for years. Williams said the only real solution is prevention at the point of exfiltration.“Traditional tools lull organizations into a false sense of security by focusing on detection after the fact,” said Williams. “But attackers today are laser-focused on stealing data, not just encrypting systems. To stop that, you need to block data from leaving your network in the first place.”Williams offered these tips to security teams:
Implement controls that prevent data exfiltration, don’t just rely on perimeter defenses.
Continuously monitor outbound traffic for signs of unauthorized data movement.
Assume compromise and plan accordingly. Build resilience into incident response, not just prevention.
Never assume paying a ransom ends the story — because in most cases, it’s only the beginning.