Anatomy of a Breach

Anatomy of a Breach: PowerSchool — 62 Million Students' and Teachers' Records Stolen from North America's Largest Education Platform

> series: anatomy_of_a_breach —— part: 193 —— target: powerschool —— students: 62,500,000 —— teachers: 9,500,000 —— data: ssns_medical_grades<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2025 13 min read
powerschool education 62-million students childrens-data ransomware series
Breach #193

62 million students. Grades. Medical records. Disciplinary files. From the platform that runs North America's schools.

In January 2025, PowerSchool — the largest cloud-based education software provider in North America, used by over 16,000 school districts serving more than 50 million students — disclosed that attackers had breached its Student Information System (SIS) and stolen the personal records of approximately 62.5 million students and 9.5 million teachers and staff. The breach, which occurred in late December 2024, was discovered in January 2025.

The stolen data was extraordinarily sensitive: names, addresses, dates of birth, Social Security numbers, medical information, grades, academic records, and in some cases disciplinary records and special education classifications. PowerSchool paid a ransom — the amount undisclosed — in exchange for assurances that the stolen data would be destroyed. A 19-year-old college student from Massachusetts subsequently pleaded guilty to involvement in the attack. The PowerSchool breach was the largest breach of education data in history, surpassing VTech's 6.4 million children (2015) by an order of magnitude and exposing the data of an entire generation of North American schoolchildren.

Children's Education Data
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Grades. Medical records. Disciplinary files. For 62 million children.

Children's Data at Unprecedented Scale
62 million students — the data of an entire generation of North American schoolchildren, including medical information, academic performance, and disciplinary records. Under UK GDPR and the Children's Code, children's data demands the highest protection. For UK <a href="/blog/sector-under-the-microscope-education">schools and education providers</a>, the PowerSchool breach reinforces that education platforms are high-value targets. <a href="/cyber-essentials">Cyber Essentials</a> is essential for education technology providers.
Medical and Disciplinary Records
The stolen data included medical information and disciplinary records — data that could stigmatise children for decades. This echoes the <a href="/blog/anatomy-of-a-breach-medibank">Medibank breach</a> (2022) where health data was published as punishment. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects data exfiltration before it reaches attackers.
Ransom Paid — Again
PowerSchool paid the ransom — joining a growing list of organisations that have paid to prevent data publication. There is no guarantee the data was actually destroyed. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response including ransom decision guidance.
Education Technology Concentration
PowerSchool serves 50 million students through a single platform — creating the same concentration risk seen with <a href="/blog/anatomy-of-a-breach-change-healthcare">Change Healthcare</a> (2024) and <a href="/blog/anatomy-of-a-breach-snowflake-campaign">Snowflake</a> (2024). A single vendor compromise affected 16,000 school districts simultaneously. <a href="/penetration-testing/cloud-configuration-review">Cloud configuration reviews</a> assess platform security.
Lessons

Education data is children's data. It demands the highest protection.

The PowerSchool breach demonstrated that education technology platforms — holding the most sensitive data about the most vulnerable population — remain critically under-protected. For UK schools, multi-academy trusts, and education technology providers, Cyber Essentials certification provides the baseline. Our application testing assesses education platform security. Our education sector analysis examines the specific threat landscape. SOC in a Box monitors education platforms. And UK Cyber Defence provides incident response when children's data is at risk.

Education Data Protection

62 million students' records stolen. Grades. Medical data. Is your education platform tested?

<a href="/cyber-essentials">Cyber Essentials</a> for education providers. <a href="/penetration-testing/web-application">Application testing</a> validates platform security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors education systems.

Commission an Education Security Assessment Next: Bybit $1.4 Billion Heist
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
Anatomy of a Breach 31 August 2025

Anatomy of a Breach: Collins Aerospace — Ransomware Grounds Passenger Processing at Heathrow, Brussels, and Berlin Airports

Breach #200. In August 2025, a ransomware attack on Collins Aerospace's MUSE passenger processing system disrupted operations at several major European airports including Heathrow, Brussels, and Berlin. The MUSE system handles check-in, boarding, and flight management functions. The attack, claimed by the Everest cybercrime group, forced airports to resort to manual check-in processes — creating long queues and flight delays. The incident demonstrated that aviation's dependency on shared technology platforms creates concentration risk where a single vendor compromise can disrupt airports across multiple countries simultaneously.

collins-aerospace muse
13 min read
All Posts Get in Touch