Massive student-data breach alleged

PowerSchool, a student-records platform used by thousands of schools, said a December 2024 breach exposed data on students and teachers across the United States and Canada. (powerschool.com) The company said on May 7, 2025 that the stolen data from that incident was being used in fresh extortion attempts against school districts. PowerSchool said it did not view those threats as a new intrusion because the samples matched data taken in December 2024. (powerschool.com) Federal prosecutors said Massachusetts college student Matthew D. Lane agreed to plead guilty in May 2025 to hacking PowerSchool and another company, stealing data, and demanding ransom payments. The Justice Department said the PowerSchool attack involved “millions of records” containing confidential and personally identifying information. (justice.gov) State officials and lawsuits later put firmer numbers on the scale. North Carolina Attorney General Jeff Jackson said on February 6, 2025 that the breach affected 62.4 million current and former students and teachers nationwide, including nearly 4 million people in North Carolina. (ncdoj.gov) Texas Attorney General Ken Paxton said in a September 3, 2025 lawsuit that 62.4 million students and 9.5 million teachers were exposed, with more than 880,000 victims in Texas alone. His office said the compromised data included names, addresses, Social Security numbers, and protected health information. (texasattorneygeneral.gov) PowerSchool’s own breach notice said the incident involved personal information belonging to current or former students and teachers whose schools used its Student Information System. That system is the database schools use for attendance, grades, enrollment, and other core records. (powerschool.com) The company also confirmed it paid a ransom after discovering the attack. PowerSchool said it made that decision in the days after the December 2024 breach because it believed payment was the best chance to keep the stolen data from being published. (powerschool.com) PowerSchool also said the payment came with “assurances and evidence” that the data had been deleted, but warned there was always a risk the attackers had kept copies. Its May 2025 update, saying districts were being extorted again with the same data, showed that risk had not gone away. (powerschool.com) The breach drew scrutiny over basic security controls. Texas said PowerSchool acknowledged it did not have multifactor authentication in place before the hack, even as the company marketed strong protections for school data. (therecord.media) PowerSchool said it offered two years of credit monitoring and identity-protection services to students and faculty tied to its Student Information System customers, whether or not they were confirmed victims. As of July 31, 2025, the company said the enrollment period for that monitoring had closed. (powerschool.com) What remains unsettled is not whether the breach happened, but how long the stolen records will keep circulating. PowerSchool’s own updates, state investigations, and criminal charges all point to the same conclusion: a school software break-in in December 2024 became a long-running exposure of children’s and educators’ data. (powerschool.com)