.png)
PowerSchool Data Breach 2025: 60 Million Student Records and the K-12 SIS Vulnerability
The PowerSchool breach of December 2024–January 2025 exposed the personal records of an estimated 60 million students and 10 million teachers across 18,000 school districts in the United States and Canada — making it the largest breach of K-12 education data in history. The attacker accessed PowerSchool's Student Information System (SIS) — the administrative platform that tracks student enrollment, grades, attendance, and sensitive family information — using compromised credentials on a customer support portal.
What made the breach particularly damaging was the subsequent extortion campaign: after school districts paid ransom to prevent data publication, PowerSchool's threat actor returned with fresh extortion demands directly against individual districts months later, demonstrating that ransom payments had not produced data deletion.
The attacker gained access to PowerSchool's PowerSource customer support portal in late December 2024 using stolen credentials. From PowerSource, they accessed PowerSchool's Student Information System database, exfiltrating records containing student names, dates of birth, addresses, Social Security numbers, medical information, and academic records. In some districts, teacher data was also stolen. PowerSchool discovered the breach in January 2025 and paid the attacker to delete the data, receiving a video purportedly showing deletion. By mid-2025, multiple school districts reported receiving fresh extortion demands from the same threat actor, indicating the deletion video was falsified. The scope — 60 million student records across 18,000 districts — reflected PowerSchool's position as the dominant K-12 SIS platform in North America.
The attacker used stolen credentials for PowerSchool's PowerSource customer support portal. The portal had access to the production SIS database for support purposes — the access that was intended for troubleshooting customer issues provided the mechanism for bulk data exfiltration. PowerSchool acknowledged that the compromised account did not have MFA enabled. The data exfiltration used a maintenance access tool that allowed bulk export of student records. The attack vector — compromised credentials on a support portal with broad production database access — is a specific risk category that many SaaS vendors have failed to adequately control.
PowerSchool produced three enduring lessons. First, SaaS vendor customer support portals with production database access represent a distinct attack surface category that is often inadequately protected. The same access that enables efficient support creates the mechanism for catastrophic data exfiltration. MFA on every privileged access point is non-negotiable. Second, ransom payment for data deletion provides no actual guarantee of deletion — the PowerSchool re-extortion campaign proved this with concrete evidence. Third, K-12 student data contains medical information, SSNs, and family details that are particularly sensitive for minors, creating long-duration liability: a child whose data was stolen in 2025 remains at identity theft risk for decades.
For PE sponsors with edtech, SaaS, or software portfolio companies, PowerSchool established that customer support portal access controls are a material security investment, not an administrative detail. Any SaaS company whose support infrastructure can access production customer data must implement MFA, session monitoring, and data export controls on those access points. The re-extortion campaign also reinforces the lesson that data exfiltration liability is permanent — paying ransom does not transfer or eliminate it.