School districts hit with extortion attempts months after education tech data breach

One of the largest providers of education tech paid off hackers so that they wouldn’t publish tens of millions of children’s personal information. But school districts are facing extortion attempts anyway.

The company, PowerSchool, missed a basic cybersecurity step, according to a cybersecurity audit obtained by NBC News, and was hacked last year, leading to one of the largest breaches to date of American children’s personal data. PowerSchool reportedly paid an undisclosed sum to the hackers in exchange for a video of them purporting to delete the files they had stolen, which included some students’ Social Security numbers and other information, like health and disciplinary records.

But "a threat actor" is using that stolen data to try to extort schools and school districts in both the U.S. and Canada, according to statements from PowerSchool and various school districts issued Wednesday.

"PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident," PowerSchool wrote in a statement Wednesday. "We do not believe this is a new incident, as samples of data match the data previously stolen in December."

Public schools across North Carolina received extortion emails Wednesday morning, North Carolina Department of Public Instruction Superintendent Mo Green said in a public bulletin. The threat actor appears to have students' and staffers’ names, contact information, birthdays, medical information, parental information, and in some cases Social Security numbers, he said.

Several Canadian school authorities have announced they are also among the victims, including the Peel District School Board in Ontario and the Toronto District School Board. The Calgary Board of Education also issued a warning to parents this week based on communication it had received from PowerSchool.

It was not immediately clear who was behind the current extortion attempt. PowerSchool said it believes that the threat actor is using data stolen from the original incident last year, indicating that the original hackers either are behind the current attempts or kept the data and made it accessible to other people.