.png)
PowerSchool Data Breach 2025: 60 Million Student Records and the K-12 SIS Vulnerability
Breach Summary
The PowerSchool breach of December 2024–January 2025 exposed the personal records of an estimated 60 million students and 10 million teachers across 18,000 school districts in the United States and Canada — making it the largest breach of K-12 education data in history. The attacker accessed PowerSchool's Student Information System (SIS) — the administrative platform that tracks student enrollment, grades, attendance, and sensitive family information — using compromised credentials on a customer support portal.
What made the breach particularly damaging was the subsequent extortion campaign: after school districts paid ransom to prevent data publication, PowerSchool's threat actor returned with fresh extortion demands directly against individual districts months later, demonstrating that ransom payments had not produced data deletion.
What Happened
The attacker gained access to PowerSchool's PowerSource customer support portal in late December 2024 using stolen credentials. From PowerSource, they accessed PowerSchool's Student Information System database, exfiltrating records containing student names, dates of birth, addresses, Social Security numbers, medical information, and academic records. In some districts, teacher data was also stolen. PowerSchool discovered the breach in January 2025 and paid the attacker to delete the data, receiving a video purportedly showing deletion. By mid-2025, multiple school districts reported receiving fresh extortion demands from the same threat actor, indicating the deletion video was falsified. The scope — 60 million student records across 18,000 districts — reflected PowerSchool's position as the dominant K-12 SIS platform in North America.
Attack Vector Detail
The attacker used stolen credentials for PowerSchool's PowerSource customer support portal. The portal had access to the production SIS database for support purposes — the access that was intended for troubleshooting customer issues provided the mechanism for bulk data exfiltration. PowerSchool acknowledged that the compromised account did not have MFA enabled. The data exfiltration used a maintenance access tool that allowed bulk export of student records. The attack vector — compromised credentials on a support portal with broad production database access — is a specific risk category that many SaaS vendors have failed to adequately control.
Breach Pattern Timeline
Pre-December 2024
Threat actor obtains credentials to PowerSchool's PowerSource customer support portal — a system used by school district IT administrators worldwide to manage K-12 student information system (SIS) instances.
December 19, 2024 - January 8, 2025
Through compromised PowerSource credentials, attacker accesses student information system data for thousands of K-12 school districts globally. Data includes student names, dates of birth, addresses, parent/guardian information, medical alerts, and (in some cases) Social Security numbers and academic records.
January 7, 2025
PowerSchool publicly discloses the breach via customer notifications to affected school districts. Initial scope: ~6,500+ school districts globally including major U.S. districts in California, Texas, Florida, and Illinois.
January 2025
PowerSchool confirms it paid the threat actor to obtain proof of data deletion. Subsequently confirms paid actor still attempted re-extortion of individual school districts directly — pattern reinforces ineffectiveness of ransom payments.
February-March 2025
Attribution emerges to Shiny Hunters threat group (the same group behind Snowflake-customer breaches in 2024 and AT&T disclosure). Shiny Hunters re-extortion attempts continue against individual districts.
February-May 2025
School districts begin notifying affected students, parents, and families. Class action lawsuits filed against PowerSchool and parent company Bain Capital. Estimated 50+ million individuals' data exposed (students + parents).
May 2025
PowerSchool issues additional notifications as forensic analysis reveals broader scope. Data breaches in education sector increasingly recognized as a distinct regulatory category by FTC and state attorneys general.
2025-2026
PowerSchool breach becomes foundational precedent for: (1) education-sector SaaS concentration risk (PowerSchool has ~50% U.S. K-12 SIS market share), (2) FERPA enforcement modernization, (3) the limits of pay-for-deletion as a containment strategy when extortion is conducted by groups using the data for credential stuffing rather than direct sale.
Total impact: ~50+ million students, parents, and educators affected across ~6,500+ school districts globally, foundational precedent for education-sector SaaS concentration risk, FERPA modernization, and the failure of pay-for-deletion as containment strategy.
Executive Lessons
PowerSchool produced three enduring lessons. First, SaaS vendor customer support portals with production database access represent a distinct attack surface that is often inadequately protected. MFA on every privileged access point is non-negotiable. Second, ransom payment for data deletion provides no actual guarantee — the PowerSchool re-extortion campaign proved this. Third, K-12 student data contains information that creates long-duration liability for decades.
Related Reading
Private Equity Implications
For PE sponsors with edtech, SaaS, or software portfolio companies, PowerSchool established that customer support portal access controls are a material security investment, not an administrative detail. Any SaaS company whose support infrastructure can access production customer data must implement MFA, session monitoring, and data export controls on those access points. The re-extortion campaign also reinforces the lesson that data exfiltration liability is permanent — paying ransom does not transfer or eliminate it.
How Cloudskope Can Help
Frequently Asked Questions
What was the PowerSchool breach?
In December 2024, K-12 education software vendor PowerSchool disclosed a breach affecting customer accounts. The breach exposed sensitive student data including names, addresses, dates of birth, Social Security numbers, and medical information for millions of K-12 students across the United States and Canada. PowerSchool serves approximately 75% of K-12 school districts in North America.
How did the PowerSchool breach happen?
Attackers used compromised credentials for a PowerSchool customer support tool to access customer databases. The tool was protected by single-factor authentication, and the compromised credentials provided access to the production databases of thousands of school district customers. PowerSchool paid a ransom to the threat actor in exchange for claimed deletion of the stolen data, though confirmation of actual deletion is not possible.
How many students were affected?
Estimates suggest data on tens of millions of students and staff was accessed across PowerSchool's customer base. Affected school districts have been progressively disclosing breach impact to their communities; final affected counts remain in flux as individual districts complete their investigations. Major affected school districts include Toronto District School Board (the largest in Canada) and multiple U.S. metropolitan school districts.
Did PowerSchool pay the ransom?
PowerSchool has confirmed paying a ransom to the threat actor. The payment was negotiated and made through professional incident response firms. PowerSchool stated the payment was made to obtain claimed evidence of data deletion, though no method exists to verify actual deletion of stolen data — the payment functions as risk mitigation rather than data recovery.
What did PowerSchool establish for education data security?
PowerSchool became the largest-scale K-12 student data breach in U.S. history and triggered congressional attention to education sector cybersecurity. The breach reinforced that education technology vendors holding sensitive minor student data require security controls equivalent to or stronger than commercial enterprise systems. For school districts, the implication is that vendor security assessment is a direct student protection obligation, not just a procurement consideration.