PowerSchool Paid the Ransom, But It Wasn’t Enough
The education sector just received another harsh wake-up call. In December 2024, PowerSchool (a student information system trusted by thousands of schools) suffered a devastating data breach that compromised sensitive student and teacher information. What's worse? The company ultimately paid the ransom, admitting they felt it was "the best option for preventing the data from being made public." But it appears the bad actors have reemerged, wanting more.
PowerSchool acknowledged it paid a ransom after discovering the initial December breach. They did so intending that the threat actor(s) would delete the data they stole. That said, in an update on May 7, 2025, PowerSchool noted, “a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident.”
But here's the uncomfortable truth: even after paying, there's no guarantee the stolen data was actually deleted. As PowerSchool's own statement acknowledges, "there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us."
This incident isn't an isolated case, it's part of a disturbing trend targeting educational institutions. Schools have become prime targets for cybercriminals. But it is not just schools, it is also trusted third-party partners like PowerSchool. Why? Well, those third-party partners are afforded a wide degree of trust. And that trust can be weaponized. When these partnerships become security weak links, the consequences ripple throughout the school ecosystem.
The Hidden Costs Beyond Ransom Payments
Data breaches in education aren't just about immediate financial losses. They damage reputations, erode trust between schools and families, and can have lasting impacts on students whose personal information is compromised. When threat actors contacted North Carolina school districts again after the PowerSchool breach, it demonstrated how these attacks create ongoing vulnerabilities.
The stark reality is that schools can no longer afford to treat cybersecurity as an afterthought. They need robust, proactive strategies to protect the sensitive data they're entrusted with.
Like our article? Let us do the same thing but for you. Interested? Let’s chat!
Four Critical Steps Schools Must Take Now
Schools aren’t helpless. They can take several proactive steps, including:
1. Build a Security-Aware Culture. Your staff are simultaneously your biggest vulnerability and your strongest defense. Implement comprehensive cybersecurity awareness training that goes beyond annual compliance checkboxes. Make security awareness part of your institutional culture, because one clicked phishing email can compromise thousands of student records. Want to learn more about the benefits of awareness training? Read our dedicated article here.
2. Master Your Regulatory Obligations. Data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) aren't just legal requirements, they're cybersecurity frameworks. Schools that properly implement these standards build stronger defenses against data breaches while avoiding costly regulatory fines that compound breach-related expenses.
3. Know What You're Protecting. Here's a sobering statistic: 68% of organizational breaches happen through assets that companies don't properly manage or don't even know exist. Schools must implement comprehensive asset management covering four phases: Discovery (continuously scanning for internet-facing assets), Classification (identifying and analyzing specific risks), Control (securing vulnerable assets), and Monitor (ongoing surveillance and management). Here’s a complete guide on how to do it.
4. Prepare for the Inevitable. Hope for the best, but plan for breach scenarios. It's crucial to develop a detailed incident response plan with clear roles, pre-drafted notifications, and robust investigation procedures. You may be surprised to learn that there is no single federal guideline for breach notification. What?!
While there isn't one overarching federal law, state laws govern these notification guidelines, which vary widely in their timelines, ranging from "as soon as reasonably practicable" to 30, 60, or even 90 days. This means schools must comply with their specific state's data breach notification laws.
Pro-Tip: Having pre-prepared crisis communications isn't just helpful; it can be the difference between controlled damage management and a full-blown reputational disaster.
Want to dig deeper into incident response plans? We have you covered! Here’s an in-depth article on the topic!
The Stakes Have Never Been Higher
The PowerSchool incident proves that even paying ransoms doesn't guarantee safety. Schools need comprehensive cybersecurity strategies that protect data before breaches occur, not reactive measures after damage is done.
Educational institutions hold some of our most sensitive information: student records, family data, and financial details. It's time to treat that responsibility with the cybersecurity rigor it demands.
NOTE: This article was created as part of a collaborative effort with The Educator Fund.
You had me at 'hello.' And that is why you must share this article.
