Here’s today’s reminder not to waste your money paying criminals to delete data.
After PowerSchool became aware of a hack in December 2024, they paid the then-unnamed attacker(s) to delete data. They subsequently informed their affected clients that they had observed the data deletion and believed that the data had been deleted, and that there would be no further dissemination of data.
Their hopes were dashed when someone reportedly began sending some districts extortion demands. The extortion demands were accompanied by data that PowerSchool believes is from the December 2024 attack and not from any newer attack.
In response to this new development, PowerSchool sent out an announcement to districts, which was seen by DataBreaches:
Dear Valued Customers:
We are writing to inform you of a recent development related to the cybersecurity incident PowerSchool experienced in December 2024.
PowerSchool recently became aware that a threat actor has reached out to some PowerSchool SIS customers in an attempt to extort them using data from the previously reported December 2024 incident. We do not believe this is a new incident, but we wanted our customers to be informed, nonetheless.
As you all are likely aware, in the days following our discovery of the December 2024 incident, we made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve. It was a difficult decision, which our leadership team did not make lightly. As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.
In light of this, I want to take a moment to remind you all that following the December 2024 incident, PowerSchool also offered and made widely available credit monitoring and identity protection services for a period of two years to students and faculty of our PowerSchool SIS customers, regardless of whether they were individually involved. We encourage you all to take this opportunity to remind your communities that these services are still available. If you choose to send an update to your families and educators, we have included a suggested message for you to send below.
As a reminder, information about credit monitoring and identity protection services and enrollment can be found on our website:
For customers in the U.S.: https://www.powerschool.com/security/sis-incident/notice-of-united-states-data-breach/
For customers in Canada: https://www.powerschool.com/security/sis-incident/notice-of-canada-data-breach/
We sincerely regret the occurrence of the 2024 incident. We will continue supporting our valued customers and law enforcement as we work through this together. If you have any questions or concerns, please don’t hesitate to reach out to your CSM.
Sincerely,
Hardeep Gulati
Chief Executive Officer, PowerSchool
Since then, the North Carolina Department of Public Instruction has also issued a notice to state schools.
“Hello, we are ShinyHunters”
Although PowerSchool has never publicly named the threat actor, this is not the first time ShinyHunters’ name has come up in connection with this cyberattack. Before the breach had ever become public, ShinyHunters had contacted DataBreaches on Telegram and mentioned a huge breach in the education sector that would be devastating if the victim did not pay up. And now ShinyHunters allegedly has sent the state an extortion demand. The note shared with DataBreaches, stated:
Hello, we are ShinyHunters
You have 72 hours to comply with the following:
Send a representative/negotiator that represnts the entierty of North Carolina to negotiate this settlement with us.
25 Bitcoin (BTC) to be paid to the following address: bc1qpzt8et39w3texfn0r7jt6fjkz2khdarnwskqpk
(Note: The amount is negotiable, but the payment must be made promptly.)Failure to meet these demands will result in the public release of the compromised data.
DataBreaches is unable to attempt to verify whether it is the real ShinyHunters because ShinyHunters closed their Telegram channel and then took BreachForums[.]st offline. They subsequently posted a PGP-signed message that they were working on hardening the forum’s security, but in an email today received by DataBreaches that was not PGP-signed, someone sending email as “[email protected]” claimed that they no longer had access to breachforums.st and were looking to transfer ownership of breachforums[.]st to others.
There was no way to authenticate that this email was really sent by ShinyHunters as an attempt to reply to that email bounced back as timing out after six hours and DataBreaches has no other contact info since ShinyHunters stopped using his Jabber and Telegram accounts. So although it appears that ShinyHunters may be responsible for the hack and/or extortion of PowerSchool clients, both should be considered unconfirmed at this time.
This post will be updated if more information becomes available or if ShinyHunters responds to this site.
Update 1: A sentence stating that ShinyHunters had emailed demands to clients has been replaced with a statement that ShinyHunters emailed a demand to the state. DataBreaches does not know who signed any ransom notes to individual districts. If any district is willing to share their note, please contact this site.
Update 2: In a virtual press conference this afternoon, NC officials did not name which districts had received demands although they do have a list. They did reveal that there are also reports from districts in other states, and that Oregon also reported districts receiving extortion demands. In response to questions about whether it was the same threat actor now who was responsible for the December hack announced in January, officials stated that PowerSchool believes it is, but they cannot confirm that and there are some slight differences in names. One other point of note: North Carolina is not renewing its contract with PowerSchool. As of July 1, the state will be using InfiniteCampus.
Update 3: Canada, too.