PowerSchool 72M Student and Teacher Records Stolen in Largest Education Breach

• .What: Stolen credentials used on support portal lacking MFA for three months.
• .Who: 62.4 million students and 9.5 million teachers across 37+ states.
• .Data Exposed: SSNs, medical alerts, disability records, and bus stop locations.
• .Outcome: Attacker sentenced to 4 years; $2.85M ransom failed to prevent re-extortion.

The breach began in September 2024 when a 19-year-old college freshman obtained credentials for PowerSchool's PowerSource customer support portal from dark web marketplaces.

The credentials had been harvested by infostealer malware that infected a subcontractor's computer - a machine outside PowerSchool's corporate network but with access to PowerSchool's support infrastructure. The PowerSource portal did not require multi-factor authentication.

The stolen username and password were sufficient to log in.

Once authenticated, the attacker used a maintenance account designated "200A0" to access the platform's built-in "Export Data Manager" tool - a legitimate administrative function designed for customer support operations. No malware was deployed. No vulnerability was exploited.

No privilege escalation was required. The attacker operated entirely within the application's own interface, using its own tools to export student and teacher records from 1,243 U.S. school districts and 89 international schools across at least 37 states.

The exfiltration continued for three months - September through December 2024 - without triggering any behavioral anomaly detection, rate limiting, or access review.

The stolen data included Social Security numbers, medical alerts, disability records, special education classifications, and the bus stop locations of minor children. PowerSchool paid a $2.85 million Bitcoin ransom in an attempt to prevent publication.

The payment failed to achieve its objective. The data was subsequently used to extort individual school districts directly, demonstrating the well-documented pattern that ransom payments provide no guarantee of data destruction.

The attacker was eventually identified, arrested, sentenced to four years in federal prison, and ordered to pay $14 million in restitution. PowerSchool set aside $28 million in compensation and agreed to a $17.25 million settlement with Chicago Public Schools.

• .Full names, dates of birth, and home addresses for 62.4 million students across 1,243 U.S. school districts
• .Social Security numbers for students and staff
• .Medical alerts, disability records, and special education classifications--protected under FERPA and IDEA
• .Bus stop locations and transportation routing data for minor children
• .Employment information and personnel records for 9.5 million teachers and staff

The attacker obtained credentials from the dark web, harvested by infostealer malware from a subcontractor's computer. The PowerSource portal did not require MFA. The attacker used a maintenance account "200A0" and the platform's built-in "Export Data Manager" tool.

No malware was deployed. No zero-day was exploited. The attacker operated within the application's own interface for three months without triggering any behavioral anomaly detection.

FERPA obligations fall primarily on school districts, but PowerSchool operated as a "school official" under FERPA's outsourcing exception. Texas AG filed suit alleging violations of the Texas Deceptive Trade Practices Act and Identity Theft Enforcement and Protection Act.

PowerSchool has set aside $28 million in compensation and agreed to a $17.25 million settlement with Chicago Public Schools alone.

A 19-year-old with no advanced tools, no zero-day exploits, and no malware stole 72 million records over three months by logging into a support portal with a stolen password. The portal had no MFA. The administrative tool had no export limits.

The platform had no anomaly detection. Every technical failure in this breach has a specific, well-understood control that would have prevented it.

The fact that the victims are children - and that the stolen data includes their medical conditions, disabilities, and bus stop locations - makes the absence of these controls not merely negligent but unconscionable.

The entire breach began with a single credential pair that worked because the PowerSource portal did not require multi-factor authentication. MFA is the single control that would have prevented this breach entirely.

The stolen password, harvested by infostealer malware from a subcontractor's machine, would have been insufficient to authenticate if a second factor had been required.

For a platform managing the records of 62.4 million students - many of them minors with protected disability and medical information - the absence of MFA on any administrative interface is indefensible.

Phishing-resistant MFA using FIDO2 hardware security keys eliminates credential theft as an attack vector entirely. FIDO2 keys are cryptographically bound to the origin domain and cannot be phished, replayed, or harvested by infostealers.

The difference between requiring MFA and not requiring it was, in this case, 72 million children's records.

The attacker operated within the PowerSource interface for three months, using the Export Data Manager to extract records from over 1,300 school districts. No rate limiting. No export volume threshold. No behavioral anomaly alert.

Application-level controls must enforce data export limits that prevent bulk extraction - no single session or account should be able to export records from more than a defined number of districts without triggering review and approval.

User and Entity Behavior Analytics (UEBA) platforms detect anomalous patterns: a maintenance account that has never exported more than a handful of records suddenly exporting millions triggers an alert.

The absence of both export limits and behavioral detection meant the attacker could drain the entire database at the application's own speed with no friction whatsoever.

The credentials were harvested from a subcontractor's computer - a machine outside PowerSchool's corporate perimeter but with access to PowerSchool's support infrastructure.

Third-party access to sensitive platforms must be governed by Privileged Access Management (PAM) solutions that enforce session recording, just-in-time access provisioning, and automatic credential rotation.

Subcontractor access should be scoped to specific functions with time-limited sessions that expire automatically. The subcontractor's machine should never have stored persistent credentials for the PowerSource portal.

PAM solutions from CyberArk, BeyondTrust, or Delinea vault credentials centrally and inject them into sessions without exposing them to the endpoint - meaning infostealer malware on the subcontractor's machine would have found nothing to harvest.

PowerSchool paid a $2.85 million Bitcoin ransom. The data was subsequently used to extort individual school districts directly. This outcome is neither surprising nor unusual - it is the documented norm.

Ransom payments provide no cryptographic or contractual guarantee that stolen data will be destroyed. The FBI, CISA, and every major incident response firm advise against payment for this reason.

Incident response planning must assume that stolen data will be published regardless of payment.

The focus must shift from preventing publication to minimizing the data available for exfiltration in the first place - through data minimization (do not store what you do not need), field-level encryption (encrypt SSNs and medical data at the column level so that bulk database exports produce ciphertext), and tokenization of sensitive identifiers.

PowerSchool Official Incident Page, TechTarget, The 74 Million, Texas AG Office, BleepingComputer, TechCrunch, NBC News, DOJ