- Severity
- critical
- Records
- 71,500,000
- Vector
- Credential Compromise — support portal without MFA
- Organization
- PowerSchool
- Incident Date
- 2024-12-19
Executive summary
PowerSchool, the largest provider of K-12 education software in the United States, suffered a catastrophic data breach in December 2024 that exposed personal information of approximately 62 million students and 9.5 million educators across thousands of school districts worldwide. The breach—the largest involving children’s data in U.S. history—occurred because a support portal account lacked multi-factor authentication.
Incident overview
| Attribute | Details |
|---|
| Victim organization | PowerSchool |
| Industry | Education technology |
| Discovery date | December 28, 2024 |
| Attack duration | December 19-28, 2024 (9 days) |
| Students affected | ~62 million |
| Educators affected | ~9.5 million |
| Total affected | ~71.5 million |
| Attack vector | Compromised credential (no MFA) |
| Ransom demanded | $2.85 million (Bitcoin) |
| Ransom paid | Yes |
| Attacker | Matthew D. Lane, 19, Massachusetts |
Timeline
| Date | Event |
|---|
| December 19, 2024 | Attacker gains access via compromised credential |
| December 19-28, 2024 | Data exfiltration over 9-day period |
| December 28, 2024 | PowerSchool discovers breach |
| January 2025 | PowerSchool begins notifying school districts |
| January 2025 | Ransom of $2.85 million paid in Bitcoin |
| March 2025 | Attacker sends video claiming data deletion |
| May 7, 2025 | Extortion emails sent to Canadian and NC schools |
| May 20, 2025 | DOJ announces charges against Matthew D. Lane |
| May 2025 | Lane agrees to guilty plea, 9+ year sentence |
Attack methodology
Initial access
| Factor | Details |
|---|
| Entry point | PowerSource customer support portal |
| Credential type | Maintenance account |
| MFA status | Not enabled |
| Detection | Failed for 9 days |
PowerSchool executives admitted during internal meetings that the compromised account did not have multi-factor authentication enabled, a basic security control that could have prevented the breach.
Data exfiltration
| Phase | Activity |
|---|
| Access | Attacker logged into PowerSource portal |
| Enumeration | Discovered access to customer databases |
| Export | Downloaded student and educator records |
| Duration | Undetected for 9 days |
Data exposed
| Data type | Exposure |
|---|
| Full names | Confirmed |
| Addresses | Confirmed |
| Social Security numbers | Some districts |
| Dates of birth | Confirmed |
| Grades and academic records | Confirmed |
| Medical/health records | Some districts |
| Disciplinary records | Some districts |
| Historical data | Up to 20+ years |
| Data type | Exposure |
|---|
| Full names | Confirmed |
| Addresses | Confirmed |
| Social Security numbers | Some districts |
| Employment records | Confirmed |
| Salary information | Some districts |
Scope of impact
Geographic reach
| Region | Status |
|---|
| United States | Primary impact |
| Canada | Confirmed affected |
| Other countries | PowerSchool operates in 90+ countries |
Affected entities
| Entity type | Approximate count |
|---|
| School districts | Thousands |
| Individual schools | Tens of thousands |
| Students | 62 million |
| Educators | 9.5 million |
PowerSchool serves over 60 million students across more than 18,000 customers in over 90 countries.
Ransom and extortion
Initial ransom
| Attribute | Details |
|---|
| Demand | $2.85 million |
| Currency | Bitcoin |
| Payment | Made by PowerSchool |
| Proof provided | Video showing “data deletion” |
Continued extortion
Despite the ransom payment, extortion continued:
| Date | Event |
|---|
| May 7, 2025 | Extortion emails to Canadian schools |
| May 7, 2025 | Extortion emails to North Carolina schools |
| Ongoing | Samples of stolen data included in threats |
This demonstrates the fundamental risk of ransom payments: there is no guarantee criminals will honor agreements.
Attacker profile
Matthew D. Lane
| Attribute | Details |
|---|
| Age | 19 years old |
| Location | Worcester, Massachusetts |
| Affiliation | Student at Assumption University |
| Charges | Obtaining information from protected computer, aggravated identity theft |
| Plea | Guilty |
| Minimum sentence | 9 years, 4 months |
Security failures
Critical gaps
| Failure | Impact |
|---|
| No MFA on support portal | Enabled initial access |
| Insufficient monitoring | 9-day dwell time |
| Excessive data access | Support account could access customer data |
| Historical data retention | Decades of records exposed |
Industry criticism
Canadian privacy commissioners (Ontario and Alberta) issued coordinated findings stating that school boards must shoulder part of the blame:
| Finding | Details |
|---|
| Data minimization failure | Schools retained excessive historical data |
| Vendor oversight gaps | Insufficient security requirements |
| Access control weaknesses | Broad data access not limited |
PowerSchool actions
| Action | Details |
|---|
| Identity protection | 2 years free for affected individuals |
| Credit monitoring | 2 years free for affected individuals |
| Security improvements | MFA implementation accelerated |
| Notifications | Ongoing to school districts |
School district actions
| Action | Recommendation |
|---|
| Parent notification | Required by many state laws |
| Credit freezes | Recommended for minors |
| Identity monitoring | Encouraged for all affected |
Long-term implications
For affected children
| Risk | Duration |
|---|
| Identity theft | Lifelong (SSNs don’t change) |
| Synthetic identity fraud | Years to decades |
| Targeted scams | Ongoing |
| College application fraud | Until adulthood |
Children’s data is particularly valuable to criminals because:
- Credit histories are blank (easier to establish fraudulent accounts)
- Fraud may go undetected for years
- SSNs remain valid throughout lifetime
For education sector
| Implication | Impact |
|---|
| Vendor security requirements | Will increase |
| Data minimization | Greater emphasis |
| MFA mandates | Likely universal |
| Insurance costs | Rising |
Recommendations
For parents of affected students
| Priority | Action |
|---|
| Critical | Freeze child’s credit at all three bureaus |
| Critical | Enroll in offered identity protection |
| High | Monitor for signs of identity misuse |
| High | Keep documentation of breach notification |
| Ongoing | Check credit annually when child turns 16 |
For school districts
| Priority | Action |
|---|
| Critical | Audit vendor security practices |
| Critical | Require MFA for all vendor access |
| High | Implement data minimization policies |
| High | Limit historical data retention |
| Medium | Review vendor contracts for security requirements |
For education technology vendors
| Priority | Action |
|---|
| Critical | Mandate MFA on all access points |
| Critical | Implement least-privilege access |
| High | Deploy behavioral monitoring |
| High | Reduce data retention periods |
| Medium | Segment customer data environments |
Context
The PowerSchool breach represents a watershed moment for education data security. The compromise of 62 million students’ personal information—including Social Security numbers, medical records, and academic histories—creates risks that will persist for decades as these children grow into adulthood.
The breach’s root cause—a support account without multi-factor authentication—is both preventable and inexcusable in 2024. MFA has been a baseline security recommendation for over a decade, yet PowerSchool failed to implement it on a portal with access to millions of sensitive records.
The ransom payment and subsequent continued extortion illustrate why security experts and law enforcement advise against paying ransoms. PowerSchool paid $2.85 million for a video purportedly showing data deletion, yet months later, attackers continued threatening schools with the same stolen data.
For parents, the key action is freezing children’s credit at all three major bureaus. This is free and prevents criminals from opening accounts in a child’s name. Given that the stolen data includes Social Security numbers, this protective measure may need to remain in place for years.
The education sector must fundamentally reassess its approach to student data. Schools and vendors have accumulated decades of sensitive information with insufficient security controls. This breach should catalyze industry-wide reforms including mandatory MFA, data minimization, and rigorous vendor security requirements.
