Canadian school boards have learned the first lesson of cyberwarfare: Never trust a hacker who’s extorting you.
What happened: School boards across Canada — including the country’s largest — have received another set of ransom demands over a trove of sensitive student data that was stolen in December, despite the hackers already receiving a ransom payment.
Catch-up: PowerSchool, the software company that handles the schools' data, paid the first ransom after it was breached. The company believed the data had been deleted after it paid up, but now the schools themselves are receiving ransom threats over the same stolen info.
- The hack, which affected school boards in at least seven provinces and one territory, compromised decades of data, including students' addresses, phone numbers, and even medical information.
Why it matters: This is Exhibit A in the case against paying ransoms. Not only does it set a financial precedent that can encourage more hacks, but there’s zero guarantee that the data will be deleted or recovered.
- One report found that 21% of the organizations that paid ransoms to their hackers never recovered the stolen data.
Bottom line: Companies are starting to catch on. Ransom payments in the U.S. fell 35% last year — despite an increase in attacks — while Statistics Canada data showed that, in 2023, 88% of those targeted by ransomware attacks didn’t pay up.—LA