PowerSchool Data Breach – Round 2 Extortions
The PowerSchool data breach nightmare of 2024 doesn’t end. Here is a quick rundown to catch up, before I call out some key learnings:
In December 2024, PowerSchool was breached by ransomware attackers who claimed to have copied 62 million records, a figure that PowerSchool has declined to specify. Forensic assessments indicated the company failed to apply basic security practices. PowerSchool was less than forthright about the incident to the public but did eventually state a breach occurred, that they paid the ransom, and received assurances from the criminals that the records were deleted.
Cybersecurity professionals, myself included, proceeded to face-palm while laughing out loud at the absurdity of criminal assurances.
Here we are, a few months later, and surprise, surprise… Individual schools are now being extorted for money with the supposedly deleted records from the PowerSchool data breach.
Key Learnings:
1. Never pay the ransom. You become a bigger target. If attackers know you are gullible enough to pay once, they will target you to pay again. Plus, you are funding future attacks by giving aid to cybercriminals.
2. Don’t believe what criminals say. It is foolish and will make you a victim.
3. Don’t show your ignorance by saying the attackers provided proof they deleted the valuable stolen data (see 2. Above)
4. Make sure you have an experienced cybersecurity professional leading the efforts to protect sensitive data
To all the academic institutions that are currently receiving extortion demands:
1. Don’t pay the ransom! Don’t even think about paying a ransom.
2. Sever your business relationship with PowerSchool. Vendors must be trustworthy. PowerSchool failed in multiple ways. Don’t put sensitive records of children and your staff in their hands.
3. If contacted by criminals, notify law enforcement immediately. Start with your local FBI or Secret Service office. They will provide free guidance and assistance if they have time. If you want a deeper level of assistance, like reviewing all your 3rd party vendors who have sensitive data, then seek a cybersecurity advisor.
4. Sue PowerSchool for damages. Hold them accountable and seek to be part of a class action to pool resources.
Bonus suggestion: I suggest that Bain Capital, which acquired PowerSchool two months before the initial breach for $5.6 billion, evaluate suing the previous owners, as they likely were not fully transparent in disclosing the cybersecurity risks.
Unfortunately, it is the tens of millions of children who are the real victims. The current extortion pales compared to how such sensitive data could be maliciously used to harm them.