Massive Data Breaches in 2024 Highlight Growing Cybersecurity Risks In 2024, cybersecurity threats continued to escalate, with high-profile breaches exposing billions of personal records. National Public Data suffered one of the largest leaks of the year, compromising Social Security numbers and other sensitive information for millions of individuals. Despite a $46,000 fine imposed by regulators, the exposed data remains accessible, leaving victims vulnerable to identity theft and fraud. Other targeted attacks further underscored the widespread risk. Home Depot employees and users of PowerSchool’s online education platform including teachers and students had their data exposed in separate incidents. While major breaches often dominate headlines, smaller-scale compromises, such as credit card skimmers, dishonest merchants, or even restaurant staff, continue to threaten financial security. Victims may only discover fraudulent charges after unauthorized transactions appear on their statements, sometimes starting with small test purchases before larger thefts occur. Banks have improved fraud detection, often freezing compromised cards before users notice. However, replacing a card disrupts automatic payments, requiring updates across multiple accounts. Beyond financial data, hacked email accounts pose serious risks, enabling scammers to send spam, impersonate victims, or reset passwords for linked services including banking and social media. Even if passwords aren’t reused, attackers can exploit password reset functions to hijack additional accounts. Identity theft remains a persistent threat, with criminals using stolen personal information to open fraudulent credit lines. Victims often discover the breach only when denied new credit, highlighting the importance of regular credit monitoring. Services like AnnualCreditReport.com allow free yearly checks from Equifax, Experian, and TransUnion, while tools like Credit Karma offer weekly soft inquiries without damaging credit scores. Dark web monitoring services, such as Bitdefender Digital Identity Protection and Norton 360 Deluxe, scan for exposed personal data, while password managers like Keeper and Bitwarden alert users to breached credentials and facilitate secure password updates. Recovering from a breach varies by incident type. Compromised credit cards are relatively straightforward banks absorb fraudulent charges, and new cards resolve the issue, though users must update saved payment details. Hacked email accounts require more effort, including proving ownership to the provider and resetting passwords for all linked services. Without a password manager, this process becomes cumbersome, as hackers can exploit password reset links to access additional accounts. For full-scale identity theft, the Federal Trade Commission (FTC) provides a step-by-step recovery guide, including credit report reviews and official identity theft reports. While third-party remediation services can assist, they must be in place before an incident occurs functioning like insurance rather than a retroactive fix. Proactive measures, such as credit freezes, fraud alerts, and mobile payment systems (e.g., Apple Pay, Google Pay), reduce exposure. Mobile payments generate unique transaction numbers, rendering stolen data useless to hackers. Despite these safeguards, no solution is foolproof. Poorly secured websites can leak even strong passwords, while data brokers legally aggregate public records such as real estate transactions into sellable profiles. Services like Optery and Privacy Bee help remove personal data from broker databases, though some require paid subscriptions for full automation. The article emphasizes that prevention is critical, as breaches are inevitable. Simple steps using unique passwords, monitoring accounts, shredding documents, and minimizing unnecessary data sharing can mitigate risks. However, the sheer volume of breaches in 2024 demonstrates that no individual or organization is immune, reinforcing the need for continuous vigilance.

PowerSchool Data Breach Exposes Millions of Students, Highlighting EdTech Cybersecurity Risks A recent cybersecurity incident at PowerSchool, a widely used education technology (EdTech) platform, has compromised the personal data of millions of students across thousands of educational institutions. The breach underscores the growing threat to schools and universities, which hold vast amounts of sensitive data including student records, employee information, and family details making them prime targets for cyberattacks. The exposed data reportedly included names, email addresses, student IDs, and internal messages. While less sensitive than Social Security or financial information, such breaches still trigger legal obligations under federal and state laws, including the Family Educational Rights and Privacy Act (FERPA) and New York’s Education Law § 2-d. Educational institutions, not the vendors, bear the legal and reputational fallout, facing potential litigation, regulatory scrutiny, and community backlash. The timing of the breach coinciding with final exams disrupted operations for schools and students, highlighting the need for robust incident response plans and data backups to minimize downtime. The incident also reinforces the importance of continuous vendor oversight, as outsourcing data storage does not absolve institutions of responsibility. Effective risk management requires thorough vendor vetting, enforceable contractual safeguards, and ongoing monitoring to mitigate future threats.

Charlotte-Mecklenburg Schools Reinstates PowerSchool Contract Despite 2024 Data Breach Charlotte-Mecklenburg Schools (CMS) has approved a new one-year contract with PowerSchool, the education software provider behind a major 2024 data breach that exposed personal information of North Carolina students and teachers. The $347,000 agreement, finalized during a June 2025 Board of Education meeting, restricts PowerSchool’s use to district employees covering educator evaluations, professional development, and job application software while excluding student and parent data. The breach, which prompted the North Carolina Department of Public Instruction to terminate its statewide PowerSchool contract in late 2024, led CMS to transition student records to Infinite Campus. Board Vice Chair Gregory “Dee” Rankin confirmed that Infinite Campus remains the district’s primary platform for grades, attendance, and student-related data, emphasizing no change in that system. PowerSchool stated that its 2025 incident report guided security improvements, including investments in advanced protections and collaborations with regulators. The company’s limited role in CMS focused on HR functions like job applications and internal evaluations reflects a narrower scope post-breach. CMS clarified that PowerSchool’s tools remain in use by the state for educator assessments but are no longer tied to student data in the district.

PowerSchool and Bain Face Legal Setback in Data Breach Lawsuit A California federal judge has partially denied motions to dismiss a lawsuit against PowerSchool Holdings Inc. and Bain Capital, allowing data breach claims from individual users and school districts to proceed. The plaintiffs allege that after Bain’s merger with PowerSchool, the company offshored cybersecurity functions to contractors, leading to vulnerabilities that exposed sensitive data. The lawsuit centers on a cyber incident affecting nearly 50 million individuals, with claims that the offshoring of data-management tools enabled vendors to bypass consent protocols and access protected school district systems. The ruling, issued on Wednesday in the U.S. District Court for the Southern District of California, rejects Bain’s attempt to fully dismiss the case, signaling potential legal and financial repercussions for the companies involved. The decision underscores growing scrutiny over third-party cybersecurity risks and corporate accountability in large-scale data breaches. Further proceedings will determine liability and potential damages.

Maine Families Eligible for $17M Naviance Data Breach Settlement Thousands of Maine families may qualify for compensation from a $17 million class action settlement involving Naviance, an education software platform used by multiple school districts. The lawsuit, finalized in February 2026, alleges that the company improperly allowed third-party access to confidential student records. Eligibility extends to current and former students who logged into Naviance at least once in the past five years. A final hearing to approve the settlement is scheduled for August 2026. This legal action follows a separate January 2025 data breach disclosed by PowerSchool, which impacted over 30,000 Maine families and exposed personal data. The incidents highlight ongoing concerns over student data privacy in educational software systems.

West Iron County School Board Joins National Lawsuit Over PowerSchool Data Breach The West Iron County School Board of Education voted on November 18, 2025, to join a nationwide lawsuit against PowerSchool Holdings, Inc., following a data breach that exposed sensitive student and staff information. The decision came after extensive debate during the board’s meeting. PowerSchool, a widely used educational software provider, has faced legal action from multiple school districts over alleged security failures that compromised personal data. While details of the breach’s scope and timeline remain undisclosed, the lawsuit reflects growing concerns over cybersecurity risks in K-12 digital platforms. The move aligns West Iron County with other districts seeking accountability for potential lapses in data protection. The case highlights the broader impact of cybersecurity incidents on educational institutions, where student privacy and operational integrity are at stake. Further developments in the lawsuit are expected as legal proceedings progress.

PowerSchool, an educational technology company, suffered a severe cyberattack orchestrated by a 19-year-old hacker, Matthew Lane, who demanded a $2.9 million ransom to prevent leaking the personal data of over 70 million individuals, including 60 million students and 9 million teachers. The breach exposed highly sensitive information such as Social Security numbers, special education records, and medical conditions, leading to catastrophic reputational, financial, and operational consequences.The incident incurred costs exceeding $14 million, covering identity theft monitoring for victims, legal penalties, and restitution. Lane, motivated by greed and with a history of hacking, was sentenced to four years in prison and fined $25,000, though prosecutors had pushed for a harsher seven-year term. The attack not only jeopardized the privacy of millions but also eroded trust in PowerSchool’s ability to safeguard critical educational data, posing long-term risks to its business viability and customer retention.

A cyberattack on PowerSchool, a leading education software platform, resulted in the exfiltration of personal data of 62 million students and 9 million teachers. Despite paying the ransom, the data was not wiped, and hackers are now targeting individual schools using the stolen information. The breach affected over 6,500 school districts in the US and Canada. The exfiltrated data includes Social Security Numbers, names, addresses, and medical information. PowerSchool has offered free credit monitoring and identity theft protection to mitigate risks.

North Carolina Attorney General’s Office Continues Probe into PowerSchool Data Breach Over a Year Later More than a year after North Carolina Attorney General Jeff Jackson launched an investigation into the PowerSchool data breach, the case remains ongoing. The breach, which exposed sensitive student and school district information, prompted the state’s scrutiny into the incident’s scope and potential vulnerabilities. While details of the investigation remain limited, the prolonged timeline underscores the complexity of assessing the breach’s impact and ensuring accountability. PowerSchool, a widely used education technology platform, serves millions of students nationwide, raising concerns about the security of educational data. The probe follows a broader trend of increased regulatory attention on data privacy in the education sector, particularly as cyber threats targeting schools and ed-tech providers grow. No further updates on the investigation’s findings or next steps have been released.

U.S. education technology provider PowerSchool suffered a significant breach with over 60 million students' personal information compromised. The attackers accessed the school information system through the PowerSource support portal using previously obtained support credentials. Despite a CrowdStrike forensic investigation revealing previous network infiltration, PowerSchool has yet to disclose the full extent of the data breach or confirm its knowledge of earlier intrusions.

The California Attorney General's Office was notified of a data breach affecting PowerSchool, the former student information system provider for the Salinas City Elementary School District (SCESD). The incident, reported on January 7, 2025, involved unauthorized access to legacy data of SCESD students and staff. Compromised information included names, email addresses, ethnicities, and other personal details, though the exact scope of the exposed data remains undisclosed. While no financial or highly sensitive records (e.g., Social Security numbers) were confirmed as stolen, the breach exposed personally identifiable information (PII) of both current and former students and employees. In response, PowerSchool announced it would provide two years of complimentary identity protection services to affected individuals, mitigating potential risks like identity theft or phishing attempts. The breach did not disrupt school operations or involve ransomware demands, but it raised concerns over the security of historical student and staff records managed by third-party vendors. The incident underscores vulnerabilities in legacy systems and the long-term risks associated with data retained by former service providers.

Teen Hacker Behind Massive Education Data Breach Sentenced to Prison A 20-year-old hacker, Matthew Lane, has been sentenced to four years in prison for orchestrating one of the largest education data breaches in history. Lane, who began hacking at 15, infiltrated PowerSchool a California-based software provider serving over 18,000 school districts worldwide using stolen employee credentials in 2024. He exfiltrated sensitive data, including Social Security numbers, birth dates, and medical records, transferring it to a server in Ukraine before demanding a $2.8 million Bitcoin ransom. PowerSchool paid an undisclosed sum to prevent the leak of data belonging to an estimated 60 million students and 10 million teachers across the U.S., Canada, and other countries. The breach impacted several San Diego County school districts, including Rancho Santa Fe, Ramona Unified, and Santee, though San Diego Unified later confirmed its data was unaffected. Lane, who has autism, described hacking as an addiction, driven by the thrill and financial rewards. He used ransom proceeds to fund a lavish lifestyle, including a penthouse and designer goods. Arrested by the FBI in his Massachusetts dorm room at 19, he expressed relief at being caught, stating he would have continued otherwise. A judge ordered him to pay over $14 million in restitution. FBI Supervisory Special Agent Doug Domin called the PowerSchool hack one of the worst he’d seen, noting investigators traced the breach through financial transactions. Experts, including Fergus Hay of The Hacking Games, highlighted that many cybercriminals are young, neurodivergent individuals drawn to hacking through gaming communities, where pattern recognition and rule-breaking skills translate into cybercrime. PowerSchool, which offered affected individuals two years of free credit monitoring, emphasized its commitment to data security but did not disclose the total number of victims. The case underscores the growing threat of juvenile hackers exploiting vulnerabilities in critical systems.

North Carolina Faces Record-Breaking Data Breaches, Including Major Education Sector Attacks North Carolina has seen a surge in data breaches, with the state’s Department of Justice (NCDOJ) reporting 2,349 incidents in 2025 impacting over nine million residents. The majority of these breaches stem from hacking and phishing attacks, with cybercriminals increasingly targeting sensitive data for extortion or resale. A recent breach at Wake County Public Schools highlighted the vulnerability of educational institutions. The district confirmed a cybersecurity incident involving Canvas, a statewide learning management system operated by Instructure, potentially exposing student and staff data. This follows a 2024 attack on PowerSchool, a student information system, where hackers accessed millions of records an incident linked to the lack of multi-factor authentication (MFA). The company reportedly paid a ransom to the attackers. Education remains a prime target, accounting for 155 breaches (7% of the state’s total) in 2025. Experts note that schools store vast amounts of sensitive data but often rely on third-party vendors, making them attractive to attackers. Kimberly Simon, CEO of Growth Office Partners, emphasized that a single breach can compromise thousands of individuals at once. In response, the North Carolina Department of Public Instruction (NCDPI) is seeking $1.1 million in funding for cybersecurity contracts, including phishing simulation training a critical tool, as 70% of attacks originate from phishing. During a recent State Board of Education meeting, Vanessa Wrenn, NCDPI’s chief information officer, stressed the need to address vendor security gaps, while board member Alan Duncan acknowledged past breaches tied to third-party vulnerabilities. The FBI’s 2024 Internet Crime Report further underscores the financial toll, with North Carolinians losing $431.6 million across 25,940 complaints. The agency recommends MFA implementation, network segmentation, regular backups, and timely patching to mitigate risks. Despite these measures, the state’s escalating breach numbers signal an ongoing challenge in securing critical infrastructure.

Bain Capital Faces Legal Action Over PowerSchool Data Breach, Setting Precedent for Private Equity Liability A federal judge in California has allowed a lawsuit against Bain Capital to proceed, marking a potential turning point in holding private equity (PE) firms accountable for cybersecurity failures at acquired companies even those predating the acquisition. The case stems from a massive data breach at PowerSchool, a K-12 education software provider, which exposed the personal data of 60 million students and 10 million teachers across North America. ### The Acquisition and Breach Timeline Bain Capital acquired PowerSchool in a $5.6 billion deal that closed on October 1, 2024, following negotiations that began in August 2022. However, the breach originated before the acquisition in August 2024, when a threat actor used stolen vendor credentials to infiltrate PowerSchool’s systems. Initial data exfiltration from a single school district occurred in September 2024, but the full scope of the breach went undetected until December 28, 2024, when the hacking group ShinyHackers demanded a ransom. The stolen data transferred to a cloud provider in Ukraine included Social Security numbers, medical records, financial details, addresses, disability records, and custody information. PowerSchool publicly disclosed the breach on January 7, 2025, prompting multiple class-action lawsuits. ### Legal Ruling and Allegations Against Bain On March 18, 2026, the U.S. District Court for the Southern District of California ruled that claims against Bain could proceed, rejecting the firm’s motion to dismiss. The court found sufficient evidence to support allegations that Bain: - Ratified cost-cutting measures that included layoffs of domestic cybersecurity staff. - Held pre-closing veto rights over major expenditures, vendor contracts, and workforce changes. - Replaced PowerSchool’s entire board post-acquisition. - Directed the offshoring of IT and cybersecurity functions, including tools that bypassed consent protocols, enabling unauthorized access. - Failed to assess risks from the offshoring it mandated. - Oversaw layoffs of critical IT staff, including at least 5% of the workforce. The court dismissed Bain’s argument that a "disclaimer of control" clause in the acquisition agreement shielded it from liability, ruling that the firm’s actions demonstrated de facto control over PowerSchool’s operations. ### Broader Implications for Private Equity The ruling suggests that PE firms may face legal exposure for cybersecurity failures at portfolio companies, even if breaches occurred before acquisition. The case underscores the need for thorough pre- and post-acquisition cybersecurity due diligence, particularly when restructuring operations or reducing costs. While the litigation remains ongoing, the decision signals a potential shift in how courts view parent company liability in data breach cases especially when PE firms exert operational control over acquired entities.

Ransomware in 2025–2026: Evolving Threats, Rising Costs, and High-Profile Attacks Ransomware remains a critical threat to governments, businesses, and critical infrastructure, disrupting healthcare, fuel distribution, retail, and identity security. Financial and operational impacts have intensified, with attackers refining tactics to maximize damage and extortion. ### Key Ransomware Trends 1. Supply Chain Attacks – Threat actors increasingly target software vendors to compromise multiple downstream victims. Notable incidents include: - 2023 MoveIt Transfer breach (Clop ransomware gang) - 2021 Kaseya attack (1,500+ MSP customers affected) - 2020 SolarWinds hack 2. Triple Extortion – Beyond encrypting data and threatening leaks, attackers now demand payment to prevent additional attacks. The Vice Society group used this tactic in its 2023 attack on San Francisco’s BART system. Leading ransomware groups like LockBit 5.0 now use private negotiation portals for targeted extortion. 3. Ransomware-as-a-Service (RaaS) – Cybercriminals lease pre-built ransomware tools and infrastructure, lowering the barrier to entry for attacks. 4. Exploiting Unpatched Systems – While zero-day vulnerabilities draw attention, most ransomware exploits known flaws in outdated software. 5. Phishing & AI-Driven Attacks – Phishing remains a primary infection vector, while generative AI enhances social engineering lures, reconnaissance, and attack automation. ### Ransomware by the Numbers (2025) - 44% of breaches involved ransomware (Verizon 2025 DBIR), a 37% increase from 2024. - 88% of SMB breaches included ransomware, compared to 39% in large enterprises. - 34% rise in attacks in the first three quarters of 2025 (Total Assure). - 5,010 U.S. incidents in the first 10 months of 2025 a 50% increase from 2024 (Cyble). - 85% of attacks go unreported (BlackFog). - Median ransom payment: $267,500 (Palo Alto Networks 2025). - Average ransom payment: $1 million (Sophos 2025), down from $2 million in 2024. - Average insurance claim: $292,000 (Coalition 2025), a 7% decrease from 2024. ### Notable 2024–2025 Ransomware Attacks - PowerSchool (Dec. 2024) – Exposed data of 62M students and 9.5M teachers across North America. - Yale New Haven Health (Mar. 2025) – Compromised 5.6M patient records; settled a class-action lawsuit for $18M. - NASCAR (Apr. 2025) – Medusa ransomware gang stole 1TB of data and demanded $4M. - DaVita (Apr. 2025) – 2.7M patients’ health data exposed by Interlock ransomware. - Marks & Spencer (May 2025) – Pay2Key ransomware disrupted operations, contributing to a 90% profit drop. - Ingram Micro (Jul. 2025) – SafePay ransomware caused service disruptions and revenue losses. - Change Healthcare (2024) – Initially reported 100M+ victims; revised to 193M by mid-2025. - LoanDepot (2024) – Attack disrupted loan services for 16.6M customers. - MGM Resorts & Caesars Entertainment (2023) – High-profile attacks crippled Las Vegas casino operations. ### Future Ransomware Predictions - AI-Powered Automation – Attacks will become faster, more persistent, and harder to detect (Trend Micro). - Voice-Based Vishing – AI-generated calls will rise as a social engineering tactic (Zscaler). - Encryption-Free Extortion – More groups will skip encryption, relying solely on data theft threats (SentinelOne). - GenAI-Enhanced Phishing – AI will enable more convincing, large-scale phishing campaigns. Ransomware shows no signs of slowing, with attackers leveraging AI, supply chain vulnerabilities, and multi-layered extortion to escalate both frequency and impact.

In December 2024, PowerSchool—a widely used student information system (SIS) provider—suffered a major data breach due to compromised credentials, allowing a threat actor to access its student information system (SIS) and customer support portal (PowerSource). The breach exposed personal data of ~5.2 million Canadians, including students, parents/guardians, and staff across eight provinces and one territory, with 3.86 million in Ontario and 700,000+ in Alberta affected. The attacker exfiltrated sensitive records, exploiting an ‘always-on’ remote maintenance feature left unsecured by school boards. Investigations by Ontario and Alberta’s privacy commissioners revealed critical gaps in PowerSchool’s security measures, including lack of multi-factor authentication (MFA), inadequate contract provisions for privacy compliance, and poor breach response protocols among educational bodies. An American college student was later arrested and sentenced to four years in prison for cyber extortion linked to the attack. The incident underscored systemic failures in safeguarding student data, prompting calls for stricter vendor agreements and enhanced oversight.

PowerSchool, a cloud-based K-12 education software provider with 18,000+ global customers, suffered a massive cyberattack in December 2024 orchestrated by 19-year-old Matthew D. Lane and accomplices. Using stolen subcontractor credentials, they breached PowerSchool’s PowerSource customer support portal and exfiltrated sensitive data of 9.5 million teachers and 62.4 million students across 6,505 school districts. Compromised data included full names, addresses, phone numbers, passwords, parent details, Social Security numbers, and medical records. The attackers, posing as the Shiny Hunters threat group, demanded $2.85M in Bitcoin and later attempted secondary extortion against individual school districts. PowerSchool paid an undisclosed ransom, but the breach led to legal repercussions, including a $14M restitution order, a $25,000 fine, and a lawsuit by Texas AG Ken Paxton for security negligence. Prior breaches in August–September 2024 (via the same credentials) were also uncovered, though attribution remains unclear. The incident severely damaged trust in PowerSchool’s data protection capabilities.

PowerSchool, an education technology company managing student data for over 18,000 institutions globally, suffered a massive ransomware attack in 2024. A 19-year-old cybercriminal, Matthew Lane, and an unnamed coconspirator stole sensitive records of 60+ million students and 10+ million educators, including Social Security numbers, mental health data, and special education records. The attackers extorted $2.85 million in Bitcoin and threatened to leak the data worldwide, causing over $14 million in total damages (including ransom payments, identity theft services, and legal costs). The breach led to lawsuits, reputational harm, and secondary extortion attempts by other threat actors. PowerSchool initially denied the ransomware claim but later admitted to paying an undisclosed sum to prevent data exposure. The attack disrupted operations for school districts, exposed minors' data, and triggered regulatory scrutiny, including a lawsuit by the Texas Attorney General for misrepresenting cybersecurity capabilities.

PowerSchool, an education software provider, suffered a significant cyberattack in 2024 when hacker Matthew D. Lane and accomplices breached its network, exfiltrating sensitive data including names, addresses, Social Security numbers, and medical records of an estimated 70 million individuals. The attackers demanded $2.85 million in bitcoin to prevent data leaks, and while PowerSchool confirmed paying a ransom in May 2024, the threat actors continued extorting school districts in the U.S. and Canada. The breach exposed highly personal information, leading to potential identity theft, financial fraud, and reputational damage for the company. The incident also highlighted vulnerabilities in PowerSchool’s security posture, as attackers maintained persistent access over months, escalating the risk of further exploitation.

PowerSchool Data Breach Exposes 70 Million Records in 2024, Highlighting Growing Cybersecurity Threats In 2024, a massive data breach at PowerSchool, a leading provider of cloud-based education software, compromised the personal information of 60 million children and 10 million teachers across the U.S. The breach, carried out by 19-year-old college student Matthew Lane, exposed sensitive data, including grades, discipline records, and personally identifiable information (PII). Lane gained unauthorized access to PowerSchool’s systems using stolen credentials from a contractor associated with the company. After exfiltrating the data, he demanded a $3 million ransom to delete the stolen records a demand PowerSchool reportedly paid to prevent further exposure. Authorities apprehended Lane months later, though the long-term impact of the breach remains a concern for affected students, educators, and institutions. The incident underscores the escalating threat of cyberattacks, particularly those targeting third-party vendors and contractors. With 3,322 data breaches reported in 2025 a record high affecting over 278 million individuals, the PowerSchool breach serves as a stark reminder of the vulnerabilities in critical infrastructure, even in sectors like education. The case also raises questions about ransom payments and their role in fueling future cybercrime.

PowerSchool, a software and cloud storage provider for school systems in the U.S. and Canada, suffered a mass data breach between December 22–28, 2023, orchestrated by Matthew D. Lane, an American student. The breach exposed sensitive data of millions of students, teachers, and educators, including names, email addresses, phone numbers, and medical information. Lane demanded a $2.85 million Bitcoin ransom, threatening to leak the stolen data if unpaid. PowerSchool confirmed paying an undisclosed ransom to prevent public exposure, but the Toronto District School Board later revealed the data was not destroyed, and the threat actor retained control. The breach impacted school boards across Newfoundland and Labrador, Nova Scotia, Ontario, Alberta, and other regions, prompting a federal privacy investigation (later discontinued after PowerSchool committed to enhanced security measures, including an independent assessment by March 2026). The incident underscored vulnerabilities in educational data systems and the risks of ransomware-driven extortion targeting critical infrastructure.

A 19-year-old college student, Matthew Lane, hacked into PowerSchool—a leading education technology company serving over 18,000 schools and 60 million students—by compromising a contractor’s credentials in September 2023. In December, he exfiltrated sensitive data for tens of millions of individuals, including students, teachers, and parents, to a leased server. The stolen data included names, email addresses, phone numbers, Social Security numbers, dates of birth, medical records, residential addresses, guardian details, and passwords. Lane then demanded a ransom of ~30 bitcoin (~$2.85M), threatening to leak the data globally if unpaid. PowerSchool confirmed paying the ransom, but at least four school districts later received extortion demands tied to the same breach. The incident instilled widespread fear among families, imposed financial burdens on victims, and exposed highly sensitive personal information to criminal risks. The breach was disclosed to customers on January 7, 2024, with Lane facing prison time and forfeiture of ransom proceeds under a plea deal.

New York City Public Schools Face Critical Gaps in Student Data Security, Audit Finds A five-year audit by New York State Comptroller Thomas DiNapoli has revealed significant vulnerabilities in how New York City Public Schools (NYCPS) manage and protect student data. The report, released on Monday, highlights systemic weaknesses in data security policies, third-party vendor oversight, and compliance with state requirements raising concerns as the district expands its use of AI and educational technology. The audit, covering 2020 to 2025, found that NYCPS serving nearly 900,000 students lacks a comprehensive inventory of the software and third-party platforms used across its schools. This decentralized approach has led to multiple data breaches, including a 2021–22 incident involving Illuminate, a grading platform that exposed the personal information of 820,000 current and former students. In 2024, hackers accessed student names and birthdates through PowerSchool, a school records program, affecting over 3,000 students and 317 staff. The Education Department only learned of the breach in January 2025, underscoring delays in detection and response. Between January 2023 and February 2025, auditors identified 141 data security incidents involving breaches of student and staff information, either through third-party vendors or internal systems. The report also found that 218 of 528 surveyed schools used at least 70 different applications beyond the two central systems, reflecting uncoordinated technology adoption. Despite a vendor vetting process, the Education Department lacks visibility into which schools use which platforms and whether they contain sensitive data. Compliance failures further compound the risks. Nearly 25% of NYCPS employees about 43,000 staff did not complete mandatory annual data privacy training, and the district has no system to prevent untrained personnel from accessing sensitive information. Reporting delays were also prevalent: nearly half of data incidents were reported to the state Education Department past the 10-day deadline, and families were notified late in 11% of cases. While the audit did not find direct violations of the federal Family Educational Rights and Privacy Act (FERPA), it warned that the identified gaps could lead to noncompliance. NYCPS acknowledged the findings, citing recent improvements such as a new student privacy webpage and a data privacy working group. However, the city disputed claims of a lack of centralized oversight, arguing that schools follow a standardized vendor approval process. Critics, including education advocates and Panel for Educational Policy members, have called for a moratorium on AI adoption, citing the audit as evidence of insufficient safeguards. The comptroller’s office plans to conduct a follow-up audit in one year to assess progress.

PowerSchool Naviance Data Harvesting Lawsuit Settles for $17.25 Million In early April, students worldwide received notifications about a settlement in a lawsuit against PowerSchool, the provider of Naviance, a widely used college and career readiness platform. The lawsuit alleged that between August 18, 2021, and January 23, 2026, Naviance embedded Heap, a third-party tracking tool, which collected sensitive student data including keystrokes, clicks, mouse movements, and private messages to counselors without consent. The harvested data was reportedly sent to Google, Microsoft, and Hotjar, violating state and federal privacy laws, including the Electronic Communications Privacy Act and the California Invasion of Privacy Act. Filed in August 2023 by an unnamed Chicago student, the lawsuit accused Naviance of unauthorized digital surveillance. PowerSchool denied the allegations but reached a $17.25 million settlement in February 2026, with payments to affected students. As part of the agreement, Heap, Google, Microsoft, and Hotjar agreed to delete all stored student data. Final approval is pending at a hearing on August 19, 2026. This incident is not PowerSchool’s first privacy controversy. In December 2024, a hacker exploited a stolen password to breach PowerSchool’s systems, stealing data from millions of students and educators. Though a $2.85 million ransom was paid, the same data was later used in further extortion attempts. The case reflects a broader trend of EdTech privacy failures, as digital learning tools in K-12 schools have nearly doubled in usage since 2020. Recent breaches, including a ShinyHunters attack on Canvas in April and May 2026, disrupted global education systems, forcing Instructure to pay an undisclosed ransom to prevent data leaks. Eligible students have until July 27, 2026, to file a claim under the settlement.

PowerSchool, a California-based education technology company, fell victim to a sophisticated cyberattack orchestrated by Matthew Lane, a 19-year-old 'seasoned cybercriminal.' Lane exploited advanced techniques to breach PowerSchool’s systems, stealing sensitive data belonging to millions of students and teachers. The stolen data was weaponized in a $3 million extortion scheme, marking a deliberate escalation in Lane’s criminal activities, which included prior attacks on government agencies, corporations, and foreign entities since 2021. The breach not only compromised vast amounts of personal and educational records but also exposed PowerSchool to severe financial and reputational damage. Federal prosecutors described the attack as part of a pattern of cybercrime, with Lane facing a 7-year prison sentence and $14 million in restitution. The incident underscores the vulnerability of educational institutions to targeted cyber threats, particularly those aiming to exfiltrate high-value data for ransom or malicious use. Most of the extorted funds remain unrecovered, amplifying the long-term operational and trust-related consequences for PowerSchool.