PowerSchool Data Breach: What Happened, Who's Affected, and What to Do Next

SEVN-X founder Matt Barnett joined NBC10 Philadelphia to unpack the largest theft of children's data in U.S. history — a breach that exposed more than 62 million students and 10 million teachers across thousands of K-12 districts.

The 60-Second Summary

Between December 19–28, 2024, an attacker used a stolen credential to log into PowerSchool's PowerSource customer support portal and exfiltrate data from its Student Information System. The breach exposed names, addresses, dates of birth, Social Security numbers, and limited medical information for 62M+ students and 10M+ teachers across thousands of K-12 districts in the U.S. and Canada. PowerSchool paid a ~$2.85M ransom — the data resurfaced anyway, and attackers later extorted individual districts directly.

<script type="text/javascript" charset="UTF-8" src="https://nbcphiladelphia.com/portableplayer/?CID=1:12:4073494&amp;videoID=2400713283770&amp;origin=nbcphiladelphia.com&amp;fullWidth=y&amp;autoplay=true"></script>

What Matt covers in the NBC10 interview

• How a single compromised credential cascaded into a nationwide breach
• Why the absence of mandatory MFA on an admin-level portal is a textbook control failure
• What parents of school-aged children should do today — credit freezes, IRS IP PINs, monitoring minors' SSNs
• Why paying the ransom didn't make the data go away
• The third-party and vendor-risk lesson every district superintendent needs to hear

Timeline of the PowerSchool breach

What parents should do right now

1. Freeze your child's credit at all three bureaus (Equifax, Experian, TransUnion). It's free and takes about 15 minutes per bureau.
2. Request an IRS Identity Protection PIN for any dependent who has a Social Security number — this blocks fraudulent tax returns in their name.
3. Enroll in the credit monitoring PowerSchool or your district is offering. It's worth the few minutes.
4. Watch for targeted phishing — texts or emails referencing your specific school district by name are red flags.
5. Talk to your kids about social-engineering attempts that reference their school or teachers.

What school districts should do right now

• Audit every vendor with admin-level access to student data and require MFA contractually.
• Run a tabletop exercise built around vendor compromise — not just internal ransomware.
• Map your data flow. Most districts cannot answer: "What student PII does each of our vendors actually hold?"
• Get an independent vendor-risk assessment — your insurance carrier will increasingly demand one.

Why this matters beyond PowerSchool

PowerSchool is the canary, not the exception. K-12 districts have spent a decade aggressively adopting EdTech vendors — SIS, LMS, assessment platforms, parent-comms tools — each one a new admin-level door into the same student records. A single category-1 control failure (no enforced MFA on a support portal with cross-tenant access) propagated into the largest theft of children's data in U.S. history. The next breach will not look like ransomware on a district file server. It will look like this: one compromised vendor credential, one weekend, thousands of districts on the same notification list.

If you operate a district, run IT for a charter network, or sit on a school board, the question is no longer "are our vendors secure?" It's "do we have evidence they are — and a plan for when one of them isn't?"