As some districts learn that the stolen data is still in the hands of criminals, it is not yet clear whether it is the same threat actor or not, although most people are betting it is the same criminal who had promised to delete all the data.
When hackers managed to acquire tens of millions of students’ and employees’ records across the country, PowerSchool made the decision to pay the extortion demand to get assurances that the stolen data would be deleted and not disseminated. They got those assurances, but now, months later, school districts are being sent samples of data with extortion demands.
Whether the threat actor attempting to extort districts is the same threat actor who originally hacked the data and extorted PowerSchool has not been confirmed by PowerSchool, who quickly responded to reports of extortion attempts by issuing a statement to schools. The North Carolina Department of Public Instruction has also issued a notice to schools, reminding them not to pay any ransom demands and not to respond at all to emailed demands. The state also held a virtual press conference yesterday afternoon to review what was known so far and to answer questions from the media.
During the conference, “Mo” Greene, Superintendent of the NC Department of Public Instruction, announced that the state had not renewed its contract with PowerSchool and effective July 1, would be using Infinite Campus.
To date, neither PowerSchool nor North Carolina has named the threat actor or actors involved, but a demand note to the state shared with the breach site DataBreaches.net began, “We are ShinyHunters.” When asked during the conference if the same person or persons were responsible for the January attack and the current situation, NCDPI Chief Information Officer Vanessa Wrenn stated that although PowerSchool suspected it was the same party, it had not been confirmed and there were some differences in the names. It is not clear how ransom demands to individual schools were worded or signed.
