Everyone's Permanent Record: The PowerSchool Breach and the Data of 70 Million Students
Everyone’s Permanent Record: The PowerSchool Breach and the Data of 70 Million Students
The email arrived on January 7, 2025, in the inboxes of IT directors at school districts across North America.
The sender was PowerSchool. The subject was a security notification. The first paragraph used the word “incident.” By the third paragraph, the IT directors reading it were doing arithmetic: their district. Their students. Their years of cumulative records. The message said PowerSchool had experienced unauthorized access to its Student Information System between December 22 and December 28, 2024, during the holiday week when most district staff were out of office and monitoring was at its thinnest.
For some districts, “students” meant twelve years of records for every child who had enrolled since the system was deployed. Social Security numbers. Medical conditions listed under health records and IEP documentation. Home addresses updated every year. Custodial arrangements and notes about which parent was not allowed to pick up which child. Behavioral incident reports. Psychological assessments. Grades, attendance records, disciplinary histories. For teachers: employment records, performance evaluations, and their own Social Security numbers and personal addresses.
For the students whose records were stolen, many were currently in kindergarten. The data would outlive their childhood. SSNs do not expire.
What PowerSchool Is
PowerSchool is not a product most parents have heard of. Like Change Healthcare in the healthcare economy, it is infrastructure — the invisible backbone that tens of thousands of schools use to track everything about every student.
Founded in 1997 and acquired by Vista Equity Partners in 2015 and later Bain Capital in 2024, PowerSchool had grown through acquisition into the dominant provider of Student Information System (SIS) software for K-12 education in North America. By 2025, PowerSchool served approximately 18,000 school districts and customers in 90 countries, with records for an estimated 70 million students and 6 million teachers stored in its hosted cloud infrastructure.
An SIS is not a gradebook. It is the comprehensive longitudinal record of a student’s educational life. PowerSchool’s SIS handled enrollment and withdrawal processing, attendance tracking, grading, scheduling, health records (nurse’s office visits, medication administration logs, IEP and 504 accommodation tracking), disciplinary records, family contact information including custody orders, and — through state reporting functions — integration with state and federal education data systems. Every child’s record was updated by every teacher, nurse, counselor, and administrator who interacted with them. Twelve years of unbroken documentation, in most cases, from kindergarten registration through senior year.
The system also held teacher and staff records: professional development histories, employment documentation, and personnel contact information. In many districts, teacher Social Security numbers were stored for state reporting purposes.
All of this resided in PowerSchool’s hosted environment — not in the districts’ own servers, but in PowerSchool’s cloud infrastructure, accessible through a web-based portal.
The Breach: A Single Set of Stolen Credentials
The intrusion was not technically sophisticated. It did not require a zero-day vulnerability, a supply chain compromise, or weeks of patient lateral movement through a network. It required a username and a password.
PowerSchool’s PowerSource platform — the customer support portal used by district IT administrators to access account management tools, submit support tickets, and manage their installations — was accessible from the public internet and protected by credential-based authentication. The attacker obtained credentials for a PowerSchool contractor account with access to PowerSource and, through it, to a maintenance access tool called SIS Support Portal that allowed the exfiltration of data tables directly from PowerSchool’s databases.
The mechanism was a CSV data export tool — a feature designed for legitimate bulk data migration and support use — that the attacker used to export the underlying student and teacher database tables. There was no alarm. No anomaly detection triggered. A support tool doing what support tools are designed to do, operated by credentials that appeared legitimate, generated no automatic alert.
The attackers exfiltrated data over six days during the holiday week — December 22 through December 28 — before PowerSchool’s internal monitoring detected anomalous export activity.
Whether multi-factor authentication was enabled on the compromised account has not been publicly confirmed by PowerSchool. What is clear is that the access was credential-based, the credentials were not internally generated by PowerSchool, and no technical vulnerability in PowerSchool’s software was exploited. The attack surface was the oldest one in cybersecurity: a password.
What Was Taken: The Scale of the Exposure
PowerSchool retained a cybersecurity incident response firm and conducted a data analysis to determine what had been exported. Their communications to affected districts described the scope in terms that varied by district configuration — each district customized which data fields their SIS collected and stored — but the categories were consistent:
- Student personally identifiable information (PII): Full legal names, dates of birth, home addresses, Social Security numbers (where stored), grade levels, enrollment dates
- Health and medical information: Nurse visit logs, medication administration records, immunization records, IEP and 504 plan documentation including diagnosed disabilities, psychological evaluation notes
- Academic records: Course enrollment, grades, attendance records, disciplinary incident reports, counselor notes, academic intervention documentation
- Family information: Emergency contacts, parent/guardian names and addresses, custodial arrangement notes, contact restrictions
- Staff PII: Teacher and staff names, addresses, contact information, employment records, Social Security numbers (where stored for state reporting)
Some districts stored more data than others. For districts that had deployed PowerSchool’s health module and stored detailed medical information, the breach exposed what amounted to a comprehensive medical dossier on every child enrolled — information that health regulations would protect under HIPAA if held by a covered healthcare entity, but which educational records are governed instead by the weaker protections of FERPA (the Family Educational Rights and Privacy Act).
PowerSchool disclosed that the breach affected students in all 50 states and in Canada. The company estimated the breach impacted records for approximately 70 million current and former students and 6 million teachers and staff. If accurate, that made it one of the largest data breaches by the number of affected individuals in US history — trailing only the OPM breach (21.5 million) and the National Public Data breach of 2024 (2.9 billion claimed records) in terms of scope.
The Ransom and the Assurance That Failed
PowerSchool confirmed it had paid a ransom to the attackers in exchange for a commitment that the stolen data would be deleted and not published. The company stated it had received a video purportedly showing data deletion as proof of compliance.
The payment was made. The video was provided. And then, in late spring 2025, individual school districts began receiving extortion demands.
The data had not been deleted. The attackers — or a party in possession of the data — sent communications directly to school districts, demonstrating possession of specific student and teacher records and demanding payment to prevent publication. The extortion was targeted and specific: the demands referenced data fields particular to individual districts, indicating either that the threat actor had retained the full export or that the data had been sold or transferred to a second extortion party.
The dynamic was identical to what had happened after the Change Healthcare ransom: paying a ransom does not guarantee data deletion. Data, once stolen, can be copied. The party receiving the ransom payment may not control every copy. The criminal ecosystem has learned that data demonstrating possession-after-ransom-payment is itself valuable for second-round extortion.
PowerSchool’s position — that it had paid in good faith and received assurances of deletion — did not resolve the districts’ exposure. The districts, not PowerSchool, were now the targets of the second-wave extortion.
FERPA, HIPAA, and the Regulatory Gap
The PowerSchool breach illuminated a structural problem in how US law protects children’s data.
FERPA (the Family Educational Rights and Privacy Act) governs the privacy of student education records. Enacted in 1974, FERPA gives parents the right to inspect and request correction of their children’s educational records and restricts disclosure without consent. What FERPA does not provide: any specific security requirements for how those records must be protected, any mandatory breach notification timeline, or any direct private right of action for violations. Schools have FERPA obligations; those obligations do not mandate any particular technical security control.
The health-related data in PowerSchool’s SIS — medication logs, IEP documentation, psychoeducational assessments — is not covered by HIPAA because it is held by an educational institution rather than a covered healthcare entity. The gap between FERPA’s education record protections and HIPAA’s health record protections means that children’s medical information held in SIS platforms exists in a regulatory zone with minimal mandatory security requirements and limited enforcement mechanisms.
Congressional hearings in spring 2025 examined whether FERPA modernization was needed to impose HIPAA-equivalent security standards on SIS vendors handling health-adjacent data. The debate echoed the HIPAA Security Rule reform conversation triggered by the Change Healthcare breach: critical infrastructure — in this case, the data repositories of American public education — had been treated as compliance problems rather than security problems.
Legacy: The Permanent Record
PowerSchool faced class action litigation from parents in multiple states. Several states opened independent investigations under state data breach notification laws, which impose different requirements than FERPA. The FTC considered whether PowerSchool’s practices constituted unfair or deceptive trade acts under Section 5 of the FTC Act.
The districts that paid the second-wave extortion demands did not necessarily receive confirmed deletion either — and faced the same uncertainty PowerSchool had already experienced. Cybersecurity attorneys advised that no ransom payment carries a legally enforceable guarantee of data destruction; the payment buys an unverifiable promise.
For the 70 million students whose records were exfiltrated, the exposure is measured in decades. A kindergartner whose Social Security number and medical history were stolen in December 2024 will be managing the consequences into her adult life — explaining anomalies on her credit report in 2040, wondering whether a future employer has seen her fifth-grade disciplinary record, unable to determine whether the psychological evaluation her school ordered in 2022 is circulating in a criminal marketplace.
The permanent record — that adolescent specter, the thing authority figures used to threaten consequences that would follow you into adulthood — turned out to be real, to be digital, and in December 2024, to have been stolen.
No arrests have been made. The threat actor identity has not been publicly confirmed. The credential that provided access to the entire dataset of American K-12 education has not been publicly attributed to a nation-state or a specific criminal organization.
Attack Chain: PowerSchool SIS Breach — Credential-Based Exfiltration
graph TD
A["Credential Acquisition\nAttacker obtains PowerSchool\ncontractor account credentials\nvia unknown means — phishing,\ninfostealer, dark web purchase"] --> B["Initial Access\nLogin to PowerSource customer\nsupport portal using\nstolen contractor credentials\nNo confirmed MFA on account"]
B --> C["Tool Discovery\nAttacker identifies SIS Support Portal\n— a maintenance tool with\nbulk data export capability\nIntended for support and migration use"]
C --> D["Data Export\nUse CSV export tool to pull\nstudent and teacher database tables\nDec 22–28, 2024 holiday week\nMinimal monitoring active"]
D --> E["Exfiltration\n70M+ student records:\nSSNs · medical · IEPs · addresses\ndisciplinary records · family info\n6M+ teacher/staff records"]
E --> F["Detection\nPowerSchool detects anomalous\nexport activity\nHoliday week response delayed\nDec 28, 2024"]
F --> G["Ransom Negotiation\nPowerSchool pays ransom\nReceives video purporting\nto show data deletion\nJanuary 2025"]
G --> H["Notification\nJan 7, 2025: Districts notified\n18,000+ customers across\nNorth America — 50 states + Canada"]
H --> I["Second-Wave Extortion\nSpring 2025: Individual districts\nreceive targeted extortion demands\nAttackers demonstrate retention\nof district-specific data"]
I --> J["Congressional Hearings\nFERPA modernization debate\nSecurity standards for SIS vendors\nHIPAA gap for school health data"]
J --> K["Legacy\nClass actions in multiple states\nFTC and state AG investigations\n70M students' lifetime exposure\nNo arrests made"]
style A fill:#1a1a2e,color:#e0e0e0
style B fill:#4a1a6e,color:#d8b4fe
style D fill:#c0392b,color:#fff
style E fill:#c0392b,color:#fff
style G fill:#8e44ad,color:#fff
style I fill:#8e44ad,color:#fff
style K fill:#2c3e50,color:#e0e0e0