The incident has exposed a critical vulnerability at the heart of the digital infrastructure of modern education. In particular, schools’ heavy reliance on third-party vendors to manage vast amounts of highly sensitive data, which is at risk of a massive breach, as happened in this case.
Forensic investigations revealed that an attacker first gained access as early as August 16, 2024, using a single compromised credential. However, the primary breach activity occurred from December 19-28, 2024, before PowerSchool detected and began investigating the unusual activity on December 28.
The attack originated through ‘PowerSource,’ PowerSchool’s customer support portal, which the attacker used to access the Student Information System (SIS). This is the core student and staff records database, used in conjunction with a maintenance tool to perform remote support operations that allowed them to access individual customer SIS instances and export the data they found there.
The attackers exploited phishing emails targeting the PowerSchool IT staff, combined with unpatched vulnerabilities in third-party software. The stolen data came from multiple databases, including parent contact details, student records, and private staff information.
PowerSchool didn’t publicly disclose the breach until January 7, 2025, over a week after discovery, drawing criticism from affected districts. Many school districts and parents felt PowerSchool’s postmortem report left key questions unanswered.
Educational databases represent a goldmine for identity thieves that is particularly dangerous because it involves children, whose stolen identities can go undetected for years. The compromised information varied by district but included:
While PowerSchool did isolate the affected systems and hire the proper forensic experts to deal with the problem, they eventually paid a ransom (later revealed to be $2.85 million in Bitcoin). Unfortunately, although the hackers provided a video of them deleting the data, they later continued to try to extort others with data samples in May 2025.
To help remedy its image, PowerSchool is offering two years of complimentary identity protection and credit monitoring services and has given commitments to hardening its security systems.
Schools store a lot of personal, identifying information that hackers can use for identity theft, but many lack the financial resources to pay for robust cybersecurity teams. There’s a myth that smaller districts or schools are less likely to become targets because they have too few students, but this is not the case; the lack of security can entice hackers.
The PowerSchool breach was initiated by phishing emails targeting IT staff that impersonated a trusted vendor. As with many cybersecurity issues, a core vulnerability lies in people themselves. That means training and adherence are just as important, if not more important, than the cybersecurity itself.
EdTech vendors should prioritize security for their products from the ground up. Then, schools need to treat cybersecurity as requiring investment in modern tools, ongoing training, and rigorous vetting of vendor security practices. It’s a big ask, but it’s necessary with the growing risks. Finally, policymakers should work on updated policies and funding, such as modernizing the E-rate program to cover cybersecurity tools for resource-constrained schools.
The PowerSchool breach is just one of many incidents that are revealing the difficult responsibility that comes with managing student data, creating a long-term shadow of identity theft risk for millions. Protecting our schools’ digital frontiers requires a collaborative security culture in which vendors, districts, and families work together to ensure a secure environment.
Get A FREE Subscription To Weekly Cybersecurity Tips So Your Company Doesn’t Become The Next Victim.
