The PowerSchool breach continues to have impacts on staff and students, as the hackers have begun individually extorting schools and threatening to expose stolen student and teacher data — unless a ransom is paid. 

The initial breach affected the information of more than 60 million children and 9.5 million teachers. The organization paid a ransom in exchange for the stolen data being deleted; however, this deletion apparently did not occur. 

Below, security leaders share their insights on how organizations should navigate ransom payments. 

Security Leaders Weigh In 

Ms. Ngoc Bui, Cybersecurity Expert at Menlo Security:

While paying ransoms might incentivize threat actors, the reality is that not paying a ransom could be more damaging, especially for organizations involved in critical infrastructure. The disruption from ransomware can be disastrous, and organizations of all sizes must prioritize protecting both operations and stakeholders. Organizations that suffer a ransomware attack should also use it as a learning opportunity to fine-tune their security measures and ensure they are using actionable intelligence to do so.

Gareth Lindahl-Wise, Chief Information Security Officer at Ontinue:

The brutal truth we must face is the recognition from the cybercriminals that if an organization has succumbed to ransomware attack and paid a ransom, they are more likely to pay again to keep a data breach from becoming public. As defenses against ransomware locking devices and data improve, I expect that we may see the predominate revenue stream from the malware reverting to data theft/extortion.

Darren Guccione, CEO and Co-Founder at Keeper Security:

When faced with a ransomware attack, organizations are faced with a difficult decision — whether or not a ransom should be paid. Paying a ransom to release their data may seem like the simplest solution, however, it is often illegal and only fuels the explosive growth of this criminal activity. Also, in this instance and many other cases, paying a ransom doesn’t guarantee the cybercriminal’s illicit activities will end. Cybercriminals often receive payment and subsequently leverage the stolen files to further monetize their value.  

Generally, a payment absent proper responsive cybersecurity protection increases the probability of a future attack, as cybercriminals now know they will pay the ransom. Cybersecurity investment before a cybercriminal strikes is critical for organizations of all sizes. A zero-trust security model with data back-ups will limit exposure if a cyberattack occurs. Additionally, strong authentication and encryption measures on the front end will help prevent a data breach. IT professionals need to consider the security of their third-party vendors, as a vendor breach can have significant downstream effects, which the schools affected by this attack are experiencing firsthand.

Beyond immediate remediation, schools should focus on strengthening access controls, enforcing phishing-resistant multi-factor authentication (MFA) and ensuring all accounts use strong, unique passwords that are stored in an encrypted password manager. Implementing a zero-trust security model with privileged access management, where every login attempt is verified and administrative privileges are tightly controlled, can reduce the risk of future attacks and greatly diminish the impact if a successful attack occurs.

Heath Renfrow, CISO and Co-founder at Fenix24:

This situation with PowerSchool is yet another unfortunate reminder that paying a ransom does not guarantee safety, it only perpetuates a cycle of criminal leverage and broken promises. While I understand the emotional and operational pressure that leads organizations to pay, the PowerSchool case demonstrates why this route is fraught with long-term consequences.

We’ve seen multiple examples where paying the ransom resulted in either:

• Data being leaked anyway, sometimes months later, as extortion groups double-dip or sell the data despite prior agreements,
• A return visit from the same threat actor, who now knows the organization is willing to pay,
• Or the emergence of third-party victimization, where clients, partners, or students — in this case — are individually targeted.

Paying may provide a short-term illusion of control, but it undermines long-term recovery and resilience. The FBI’s advice to avoid paying ransoms exists for good reason, there is no enforceable contract in cybercrime, only hope and high risk.

Instead, the better path is investing in immutable backups, hardening identity infrastructure, and accelerating restoration timelines so organizations don’t have to choose between business survival and ethics. The PowerSchool fallout should drive home the message: trusting cybercriminals is a losing bet.