PowerSchool data breach: Explaining how it happened

Details about the incident

On Dec. 28, 2024, PowerSchool claimed it first discovered unauthorized access to its systems. According to the CrowdStrike investigation report, while PowerSchool identified the issue on Dec. 28, the earliest evidence of unauthorized activity dates back to Dec. 19, 2024.

The initial attack vector according to PowerSchool was accessed via the company's community-focused customer support portal, PowerSource.

The breach allowed hackers to access the PowerSchool Student Information System (SIS), a central database containing a wealth of student and staff data.

PowerSchool didn't begin to communicate with customers about the data breach until Jan. 7, 2025.

PowerSchool hired cybersecurity vendor CrowdStrike to help investigate the alleged attack. PowerSchool paid some form of fee to the attackers to keep the data from being released. By paying these threat actors to destroy the stolen data, this incident is an extortionware event.

According to court documents from the U.S. Department of Justice (DOJ) made public on May 20, 2025, PowerSchool received an extortion demand of approximately $2.85 million bitcoin.

The ransom was paid in exchange for a video that allegedly showed the attackers claiming to delete the only copy of the data. However, as recently as May 7, 2025, attackers were sending extortion emails to schools in Canada and North Carolina that included samples of the stolen data.

How did this attack happen?

The early investigation into the attack provides some clues as to how the attack happened.

Credential theft

Cyberattackers compromised or used a credential to access PowerSchool's PowerSource customer support portal. It is not yet clear how the attackers were able to compromise the credentials, though credential theft is a relatively common attack. Credentials can potentially be stolen in any number of different ways, including phishing and social engineering attacks.

Unauthorized access

The PowerSource customer support portal that the cyberattacker accessed contained a maintenance tool that allowed PowerSchool engineers to access customer SIS instances for support and troubleshooting performance issues. According to CrowdStrike's investigation, between Dec. 19-28, 2024, the threat actor specifically performed "Maintenance Remote Support operations" in PowerSource, which enabled access to individual customer organizations' SIS instances.

Data exfiltration

Once inside the system, the attackers accessed the export data management customer support tool to extract data from the PowerSchool SIS students' and teachers' database tables.

Who was affected?

According to PowerSchool, the December 2024 security incident specifically affected a subset of institutions using PowerSchool's SIS. Schools and districts that don't use PowerSchool SIS were not impacted by this incident.

While the exact number of affected individuals remains unknown, the scale of the breach is significant, given PowerSchool's extensive user base. Given the widespread usage of PowerSchool SIS across North America, the data breach potentially impacted millions of students and teachers.

According to PowerSchool's public disclosure, the breach exposed personally identifiable information (PII) for a portion of individuals. The affected individuals fall into two main categories:

Students and families

• Select students whose information was stored in affected SIS systems.
• Family members associated with these student records.

Educators

• School staff members whose information was stored in the compromised systems.
• Personnel whose records contained PII in affected districts.

Some school districts reported that historical data was compromised, so past staff and students were also affected.

What data was stolen?

According to court documents published on May 20, 2025, the breach compromised the personal information of approximately 62 million individuals.

Data stolen in the breach is comprised of PII for students, parents and educators, including the following:

• Names.
• Addresses.
• Birth dates.
• Social Security numbers.
• Medical information.
• Academic records.

According to CrowdStrike's report, the attack specifically exfiltrated data from the SIS instances' teachers and students tables. The investigation found no evidence of data taken from any other tables.

According to PowerSchool, there's no evidence that banking or credit card information was compromised, which is an assertion that CrowdStrike's report confirms.

PowerSchool will provide identity protection services for students and educators and credit monitoring services for affected adults.

Timeline of attack

While full details on the attack have not yet been publicly revealed, there are some indications and disclosures that provide insight into the timeline of the attack:

• Dec. 19-23, 2024. Suspected start of unauthorized access to PowerSchool's systems.
• Dec. 28, 2024. PowerSchool becomes aware of the potential cybersecurity incident.
• Jan. 7, 2025. PowerSchool notifies affected school districts about the data breach.
• Jan. 8, 2025. Some school districts begin notifying parents and staff about the breach.
• Jan. 13, 2025. Public disclosure of the incident on PowerSchool's website.
• Feb. 28, 2025. Crowdstrike investigation report delivered detailing how the attack occurred.
• May 7, 2025. PowerSchool discloses that cybercriminals are sending new extortion emails with a sample of the previously stolen data.
• May 20, 2025. DOJ discloses plea deal with alleged attacker Matthew D. Lane.

Who was responsible for the attack?

The attack was conducted by a 19-year-old male, identified by the DOJ as Matthew D. Lane, a student at Assumption University in Worcester, Mass.

Lane agreed to a guilty plea on charges of obtaining information from a protected computer and aggravated identity theft. The plea deal requires Lane to accept a prison sentence of at least nine years and four months.

The DOJ claims that Lane worked with at least one as-yet unnamed co-conspirator. The investigation is ongoing.

What is the impact of this attack?

The PowerSchool data breach has a broad impact on students, educators and educational institutions:

• Privacy concerns. The data leakage of PII puts affected individuals at risk of identity theft and fraud.
• Long-term risk. The compromise of personal data could have long-lasting effects, as data such as Social Security numbers and birth date information can be misused years into the future.
• Financial impact. Education districts and schools might need to spend money to improve cybersecurity and provide higher degrees of privacy assurance.
• Legal challenges. There could be lawsuits against PowerSchool and potentially school districts.
• Operational disruptions. While PowerSchool claims no operational disruptions, affected schools may need to implement new security measures and update data management practices and privacy controls.

Other related incidents

There is no shortage of cybersecurity events involving the education sector. In 2024, the education sector was a prime target for cybercriminals with several high-profile attacks affecting schools and universities across North America.

Here's an overview of significant education-related cyberattacks in 2024.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.