PowerSchool Data Breach: What Happened, Who's Affected, and What to Do Next
SEVN-X founder Matt Barnett joined NBC10 Philadelphia to unpack the largest theft of children's data in U.S. history — a breach that exposed more than 62 million students and 10 million teachers across thousands of K-12 districts.
What Matt covers in the NBC10 interview
- How a single compromised credential cascaded into a nationwide breach
- Why the absence of mandatory MFA on an admin-level portal is a textbook control failure
- What parents of school-aged children should do today — credit freezes, IRS IP PINs, monitoring minors' SSNs
- Why paying the ransom didn't make the data go away
- The third-party and vendor-risk lesson every district superintendent needs to hear
Timeline of the PowerSchool breach
| Date | Event |
|---|---|
| Dec 19–23, 2024 | Initial unauthorized access to PowerSchool's PowerSource portal |
| Dec 28, 2024 | PowerSchool detects the intrusion and receives a ~$2.85M Bitcoin ransom demand |
| January 2025 | Scope confirmed: 62M+ student records and 10M+ teacher records exfiltrated |
| May 2025 | Attackers begin extorting individual school districts directly with sample data |
| Oct 14, 2025 | Matthew D. Lane, 20, sentenced to four years in federal prison + $14.1M restitution |
What parents should do right now
- Freeze your child's credit at all three bureaus (Equifax, Experian, TransUnion). It's free and takes about 15 minutes per bureau.
- Request an IRS Identity Protection PIN for any dependent who has a Social Security number — this blocks fraudulent tax returns in their name.
- Enroll in the credit monitoring PowerSchool or your district is offering. It's worth the few minutes.
- Watch for targeted phishing — texts or emails referencing your specific school district by name are red flags.
- Talk to your kids about social-engineering attempts that reference their school or teachers.
What school districts should do right now
- Audit every vendor with admin-level access to student data and require MFA contractually.
- Run a tabletop exercise built around vendor compromise — not just internal ransomware.
- Map your data flow. Most districts cannot answer: "What student PII does each of our vendors actually hold?"
- Get an independent vendor-risk assessment — your insurance carrier will increasingly demand one.
Why this matters beyond PowerSchool
PowerSchool is the canary, not the exception. K-12 districts have spent a decade aggressively adopting EdTech vendors — SIS, LMS, assessment platforms, parent-comms tools — each one a new admin-level door into the same student records. A single category-1 control failure (no enforced MFA on a support portal with cross-tenant access) propagated into the largest theft of children's data in U.S. history. The next breach will not look like ransomware on a district file server. It will look like this: one compromised vendor credential, one weekend, thousands of districts on the same notification list.
If you operate a district, run IT for a charter network, or sit on a school board, the question is no longer "are our vendors secure?" It's "do we have evidence they are — and a plan for when one of them isn't?"
