Description: The California Attorney General's Office was notified of a data breach affecting **PowerSchool**, the former student information system provider for the Salinas City Elementary School District (SCESD). The incident, reported on **January 7, 2025**, involved unauthorized access to **legacy data** of SCESD students and staff. Compromised information included **names, email addresses, ethnicities, and other personal details**, though the exact scope of the exposed data remains undisclosed. While no financial or highly sensitive records (e.g., Social Security numbers) were confirmed as stolen, the breach exposed personally identifiable information (PII) of both current and former students and employees. In response, PowerSchool announced it would provide **two years of complimentary identity protection services** to affected individuals, mitigating potential risks like identity theft or phishing attempts. The breach did not disrupt school operations or involve ransomware demands, but it raised concerns over the security of historical student and staff records managed by third-party vendors. The incident underscores vulnerabilities in legacy systems and the long-term risks associated with data retained by former service providers.

Description: The Vermont Office of the Attorney General reported a data breach incident involving PowerSchool on January 27, 2025. The breach occurred on December 28, 2024, and involved the unauthorized exfiltration of personal information, potentially including names, contact information, dates of birth, and Social Security Numbers; the exact number of individuals affected is unknown.

Description: On January 27, 2025, the Washington Attorney General's Office was notified of a data breach at PowerSchool that occurred between December 19 and December 28, 2024. The breach affected approximately 182,122 individuals, with 6,412 having their Social Security numbers involved, and included personal information such as names, dates of birth, and limited medical alert information.

Description: U.S. education technology provider PowerSchool suffered a significant breach with over 60 million students' personal information compromised. The attackers accessed the school information system through the PowerSource support portal using previously obtained support credentials. Despite a CrowdStrike forensic investigation revealing previous network infiltration, PowerSchool has yet to disclose the full extent of the data breach or confirm its knowledge of earlier intrusions.

Description: In December 2024, PowerSchool—a widely used student information system (SIS) provider—suffered a major **data breach** due to compromised credentials, allowing a threat actor to access its **student information system (SIS) and customer support portal (PowerSource)**. The breach exposed **personal data of ~5.2 million Canadians**, including students, parents/guardians, and staff across **eight provinces and one territory**, with **3.86 million in Ontario and 700,000+ in Alberta** affected. The attacker exfiltrated sensitive records, exploiting an **‘always-on’ remote maintenance feature** left unsecured by school boards. Investigations by Ontario and Alberta’s privacy commissioners revealed **critical gaps in PowerSchool’s security measures**, including **lack of multi-factor authentication (MFA)**, inadequate contract provisions for privacy compliance, and **poor breach response protocols** among educational bodies. An **American college student** was later arrested and sentenced to **four years in prison** for cyber extortion linked to the attack. The incident underscored systemic failures in safeguarding student data, prompting calls for stricter vendor agreements and enhanced oversight.

Description: The **PowerSchool data breach** impacted approximately **5.2 million Canadians**, including **3.86 million Ontarians** and **700,000 Albertans**, exposing highly sensitive personal data such as **dates of birth, health-card numbers, social insurance numbers, and family information**. The breach was exacerbated by **excessive data retention policies**, with some school boards storing records dating back to **1965 (Peel District School Board) and 1985 (Toronto District School Board)**, far beyond educational necessity. The incident revealed **gaps in municipal breach reporting laws (MFIPPA)**, as unlike provincial institutions (FIPPA), many affected entities—including school boards, police services, and public libraries—**lacked mandatory breach notification, privacy impact assessments, or robust response plans**. Some institutions had **no breach response plan at all**, delaying mitigation. The breach underscored systemic failures in **third-party vendor accountability**, as institutions outsourced data management without ensuring compliance. The fallout prompted calls for **urgent legislative reforms** to align municipal and provincial privacy protections, alongside stricter **data minimization practices** to prevent future mass exposures.

Description: A Massachusetts college student exploited PowerSchool’s lack of multifactor authentication (MFA) to breach its systems in December, exposing sensitive data of over **62 million students** and **9 million teachers** across North America. In Toronto alone, records dating back to **1985**—including **special education and disciplinary files**—were leaked. Investigations by Ontario and Alberta’s privacy commissioners revealed systemic failures: schools lacked **contractual security provisions**, failed to **monitor PowerSchool’s safeguards**, allowed **unrestricted remote access** for support personnel, and had no **breach response plans**. The incident highlighted critical vulnerabilities in third-party vendor oversight, with regulators mandating stricter privacy controls, access limitations, and contract renegotiations to prevent future exposures.

Description: PowerSchool, a California-based education technology company, fell victim to a sophisticated cyberattack orchestrated by Matthew Lane, a 19-year-old 'seasoned cybercriminal.' Lane exploited advanced techniques to breach PowerSchool’s systems, stealing sensitive data belonging to **millions of students and teachers**. The stolen data was weaponized in a **$3 million extortion scheme**, marking a deliberate escalation in Lane’s criminal activities, which included prior attacks on government agencies, corporations, and foreign entities since 2021. The breach not only compromised vast amounts of **personal and educational records** but also exposed PowerSchool to severe financial and reputational damage. Federal prosecutors described the attack as part of a **pattern of cybercrime**, with Lane facing a **7-year prison sentence** and **$14 million in restitution**. The incident underscores the vulnerability of educational institutions to targeted cyber threats, particularly those aiming to **exfiltrate high-value data for ransom or malicious use**. Most of the extorted funds remain unrecovered, amplifying the long-term operational and trust-related consequences for PowerSchool.

Description: PowerSchool, an education software provider, suffered a significant cyberattack in 2024 when hacker **Matthew D. Lane** and accomplices breached its network, exfiltrating sensitive data including **names, addresses, Social Security numbers, and medical records** of an estimated **70 million individuals**. The attackers demanded **$2.85 million in bitcoin** to prevent data leaks, and while PowerSchool confirmed paying a ransom in May 2024, the threat actors continued extorting school districts in the **U.S. and Canada**. The breach exposed highly personal information, leading to potential identity theft, financial fraud, and reputational damage for the company. The incident also highlighted vulnerabilities in PowerSchool’s security posture, as attackers maintained persistent access over months, escalating the risk of further exploitation.

Description: A cyberattack on PowerSchool, a leading education software platform, resulted in the exfiltration of personal data of 62 million students and 9 million teachers. Despite paying the ransom, the data was not wiped, and hackers are now targeting individual schools using the stolen information. The breach affected over 6,500 school districts in the US and Canada. The exfiltrated data includes Social Security Numbers, names, addresses, and medical information. PowerSchool has offered free credit monitoring and identity theft protection to mitigate risks.

Description: PowerSchool, a software and cloud storage provider for school systems in the U.S. and Canada, suffered a mass data breach between **December 22–28, 2023**, orchestrated by **Matthew D. Lane**, an American student. The breach exposed sensitive data of **millions of students, teachers, and educators**, including **names, email addresses, phone numbers, and medical information**. Lane demanded a **$2.85 million Bitcoin ransom**, threatening to leak the stolen data if unpaid. PowerSchool confirmed paying an undisclosed ransom to prevent public exposure, but the **Toronto District School Board later revealed the data was not destroyed**, and the threat actor retained control. The breach impacted school boards across **Newfoundland and Labrador, Nova Scotia, Ontario, Alberta, and other regions**, prompting a federal privacy investigation (later discontinued after PowerSchool committed to enhanced security measures, including an independent assessment by **March 2026**). The incident underscored vulnerabilities in educational data systems and the risks of **ransomware-driven extortion** targeting critical infrastructure.

Description: PowerSchool, a cloud-based K-12 education software provider with 18,000+ global customers, suffered a **massive cyberattack in December 2024** orchestrated by 19-year-old Matthew D. Lane and accomplices. Using stolen subcontractor credentials, they breached PowerSchool’s **PowerSource customer support portal** and exfiltrated **sensitive data of 9.5 million teachers and 62.4 million students** across 6,505 school districts. Compromised data included **full names, addresses, phone numbers, passwords, parent details, Social Security numbers, and medical records**. The attackers, posing as the **Shiny Hunters** threat group, demanded **$2.85M in Bitcoin** and later attempted **secondary extortion** against individual school districts. PowerSchool paid an undisclosed ransom, but the breach led to **legal repercussions**, including a **$14M restitution order**, a **$25,000 fine**, and a **lawsuit by Texas AG Ken Paxton** for security negligence. Prior breaches in **August–September 2024** (via the same credentials) were also uncovered, though attribution remains unclear. The incident severely damaged trust in PowerSchool’s data protection capabilities.

Description: A 19-year-old college student, Matthew Lane, hacked into PowerSchool—a leading education technology company serving over 18,000 schools and 60 million students—by compromising a contractor’s credentials in September 2023. In December, he exfiltrated sensitive data for tens of millions of individuals, including students, teachers, and parents, to a leased server. The stolen data included names, email addresses, phone numbers, Social Security numbers, dates of birth, medical records, residential addresses, guardian details, and passwords. Lane then demanded a ransom of ~30 bitcoin (~$2.85M), threatening to leak the data globally if unpaid. PowerSchool confirmed paying the ransom, but at least four school districts later received extortion demands tied to the same breach. The incident instilled widespread fear among families, imposed financial burdens on victims, and exposed highly sensitive personal information to criminal risks. The breach was disclosed to customers on January 7, 2024, with Lane facing prison time and forfeiture of ransom proceeds under a plea deal.

Description: PowerSchool, an educational technology company, suffered a severe cyberattack orchestrated by a 19-year-old hacker, Matthew Lane, who demanded a $2.9 million ransom to prevent leaking the personal data of over **70 million individuals**, including **60 million students and 9 million teachers**. The breach exposed highly sensitive information such as **Social Security numbers, special education records, and medical conditions**, leading to catastrophic reputational, financial, and operational consequences.The incident incurred costs exceeding **$14 million**, covering identity theft monitoring for victims, legal penalties, and restitution. Lane, motivated by greed and with a history of hacking, was sentenced to **four years in prison** and fined **$25,000**, though prosecutors had pushed for a harsher seven-year term. The attack not only jeopardized the privacy of millions but also eroded trust in PowerSchool’s ability to safeguard critical educational data, posing long-term risks to its business viability and customer retention.

Description: PowerSchool, an education technology company managing student data for over 18,000 institutions globally, suffered a **massive ransomware attack** in 2024. A 19-year-old cybercriminal, Matthew Lane, and an unnamed coconspirator **stole sensitive records of 60+ million students and 10+ million educators**, including Social Security numbers, mental health data, and special education records. The attackers **extorted $2.85 million in Bitcoin** and threatened to leak the data worldwide, causing over **$14 million in total damages** (including ransom payments, identity theft services, and legal costs). The breach led to **lawsuits, reputational harm, and secondary extortion attempts** by other threat actors. PowerSchool initially denied the ransomware claim but later admitted to paying an undisclosed sum to prevent data exposure. The attack disrupted operations for school districts, exposed minors' data, and triggered regulatory scrutiny, including a lawsuit by the Texas Attorney General for **misrepresenting cybersecurity capabilities**.

Description: In December 2024, PowerSchool suffered a **ransomware-driven data breach** via its **PowerSource customer support portal**, which lacked multifactor authentication. Threat actors exfiltrated a dataset containing **student and staff names, contact details, Social Security numbers, medical notes, and limited passwords** from its **Student Information System**, impacting **60+ million students and 18,000 educational customers** across North America and Canada.PowerSchool **paid an undisclosed ransom** to prevent public exposure, but the actors later **extorted four school districts** using the same stolen data, contradicting PowerSchool’s earlier claim that the data was destroyed. The breach triggered **class-action lawsuits**, regulatory scrutiny, and **free credit monitoring for victims**. The FBI is investigating, while North Carolina’s education department refused to engage with attackers, citing legal prohibitions. The incident highlights failures in **access controls** and **ransomware response**, with ongoing risks of **identity theft, fraud, and reputational damage** for schools and families.