.png)
PowerSchool Data Breach 2025: 60 Million Student Records and the K-12 SIS Vulnerability
Breach Summary
The PowerSchool breach of December 2024–January 2025 exposed the personal records of an estimated 60 million students and 10 million teachers across 18,000 school districts in the United States and Canada — making it the largest breach of K-12 education data in history. The attacker accessed PowerSchool's Student Information System (SIS) — the administrative platform that tracks student enrollment, grades, attendance, and sensitive family information — using compromised credentials on a customer support portal.
What made the breach particularly damaging was the subsequent extortion campaign: after school districts paid ransom to prevent data publication, PowerSchool's threat actor returned with fresh extortion demands directly against individual districts months later, demonstrating that ransom payments had not produced data deletion.
What Happened
The attacker gained access to PowerSchool's PowerSource customer support portal in late December 2024 using stolen credentials. From PowerSource, they accessed PowerSchool's Student Information System database, exfiltrating records containing student names, dates of birth, addresses, Social Security numbers, medical information, and academic records. In some districts, teacher data was also stolen. PowerSchool discovered the breach in January 2025 and paid the attacker to delete the data, receiving a video purportedly showing deletion. By mid-2025, multiple school districts reported receiving fresh extortion demands from the same threat actor, indicating the deletion video was falsified. The scope — 60 million student records across 18,000 districts — reflected PowerSchool's position as the dominant K-12 SIS platform in North America.
Attack Vector Detail
The attacker used stolen credentials for PowerSchool's PowerSource customer support portal. The portal had access to the production SIS database for support purposes — the access that was intended for troubleshooting customer issues provided the mechanism for bulk data exfiltration. PowerSchool acknowledged that the compromised account did not have MFA enabled. The data exfiltration used a maintenance access tool that allowed bulk export of student records. The attack vector — compromised credentials on a support portal with broad production database access — is a specific risk category that many SaaS vendors have failed to adequately control.
Breach Pattern Timeline
Pre-December 2024
Threat actor obtains credentials to PowerSchool's PowerSource customer support portal — a system used by school district IT administrators worldwide to manage K-12 student information system (SIS) instances.
December 19, 2024 - January 8, 2025
Through compromised PowerSource credentials, attacker accesses student information system data for thousands of K-12 school districts globally. Data includes student names, dates of birth, addresses, parent/guardian information, medical alerts, and (in some cases) Social Security numbers and academic records.
January 7, 2025
PowerSchool publicly discloses the breach via customer notifications to affected school districts. Initial scope: ~6,500+ school districts globally including major U.S. districts in California, Texas, Florida, and Illinois.
January 2025
PowerSchool confirms it paid the threat actor to obtain proof of data deletion. Subsequently confirms paid actor still attempted re-extortion of individual school districts directly — pattern reinforces ineffectiveness of ransom payments.
February-March 2025
Attribution emerges to Shiny Hunters threat group (the same group behind Snowflake-customer breaches in 2024 and AT&T disclosure). Shiny Hunters re-extortion attempts continue against individual districts.
February-May 2025
School districts begin notifying affected students, parents, and families. Class action lawsuits filed against PowerSchool and parent company Bain Capital. Estimated 50+ million individuals' data exposed (students + parents).
May 2025
PowerSchool issues additional notifications as forensic analysis reveals broader scope. Data breaches in education sector increasingly recognized as a distinct regulatory category by FTC and state attorneys general.
2025-2026
PowerSchool breach becomes foundational precedent for: (1) education-sector SaaS concentration risk (PowerSchool has ~50% U.S. K-12 SIS market share), (2) FERPA enforcement modernization, (3) the limits of pay-for-deletion as a containment strategy when extortion is conducted by groups using the data for credential stuffing rather than direct sale.
Total impact: ~50+ million students, parents, and educators affected across ~6,500+ school districts globally, foundational precedent for education-sector SaaS concentration risk, FERPA modernization, and the failure of pay-for-deletion as containment strategy.
Executive Lessons
PowerSchool produced three enduring lessons. First, SaaS vendor customer support portals with production database access represent a distinct attack surface that is often inadequately protected. MFA on every privileged access point is non-negotiable. Second, ransom payment for data deletion provides no actual guarantee — the PowerSchool re-extortion campaign proved this. Third, K-12 student data contains information that creates long-duration liability for decades.
Related Reading
Private Equity Implications
For PE sponsors with edtech, SaaS, or software portfolio companies, PowerSchool established that customer support portal access controls are a material security investment, not an administrative detail. Any SaaS company whose support infrastructure can access production customer data must implement MFA, session monitoring, and data export controls on those access points. The re-extortion campaign also reinforces the lesson that data exfiltration liability is permanent — paying ransom does not transfer or eliminate it.