PowerSchool, a software and cloud storage provider for school systems in the U.S. and Canada, suffered a mass data breach between December 22–28, 2023, orchestrated by Matthew D. Lane, an American student. The breach exposed sensitive data of millions of students, teachers, and educators, including names, email addresses, phone numbers, and medical information. Lane demanded a $2.85 million Bitcoin ransom, threatening to leak the stolen data if unpaid. PowerSchool confirmed paying an undisclosed ransom to prevent public exposure, but the Toronto District School Board later revealed the data was not destroyed, and the threat actor retained control. The breach impacted school boards across Newfoundland and Labrador, Nova Scotia, Ontario, Alberta, and other regions, prompting a federal privacy investigation (later discontinued after PowerSchool committed to enhanced security measures, including an independent assessment by March 2026). The incident underscored vulnerabilities in educational data systems and the risks of ransomware-driven extortion targeting critical infrastructure.
Source: https://globalnews.ca/news/11479819/powerschool-cyber-extortion-prison-sentence/
TPRM report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "pow1302513101625",
"linkid": "powerschool-group-llc",
"type": "Ransomware",
"date": "12/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Millions (students, families, '
'educators across Canada and the '
'U.S.)',
'industry': 'Education Technology',
'location': ['United States', 'Canada'],
'name': 'PowerSchool',
'type': 'Software and Cloud Storage Company'},
{'industry': 'Education',
'location': 'Toronto, Ontario, Canada',
'name': 'Toronto District School Board',
'type': 'School Board'},
{'industry': 'Education',
'location': 'Newfoundland and Labrador, Canada',
'name': 'School Boards in Newfoundland and Labrador',
'type': 'School Boards'},
{'industry': 'Education',
'location': 'Nova Scotia, Canada',
'name': 'School Boards in Nova Scotia',
'type': 'School Boards'},
{'industry': 'Education',
'location': 'Alberta, Canada',
'name': 'School Boards in Alberta',
'type': 'School Boards'}],
'customer_advisories': ['Public guidance on protecting personal data '
'post-breach'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Millions',
'personally_identifiable_information': 'Yes (names, email '
'addresses, phone '
'numbers, medical '
'info)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Medical Information',
'Contact Details']},
'date_detected': '2023-12-22',
'date_publicly_disclosed': '2024-05-00',
'description': 'An American man, Matthew D. Lane, was sentenced to four years '
'in prison for cyber extortion related to a mass data breach '
'of PowerSchool, a student information system used across '
'Canada and the U.S. The breach occurred between December 22 '
'and 28, 2023, affecting millions of students, families, and '
'educators. A ransom of $2.85 million in bitcoin was demanded, '
'and PowerSchool confirmed paying an unspecified ransom to '
'prevent data leakage. The Toronto District School Board and '
'other Canadian school boards were impacted, with stolen data '
'including names, email addresses, phone numbers, and medical '
'information. Canada’s federal privacy watchdog launched and '
'later discontinued an investigation after PowerSchool '
'committed to enhanced security measures.',
'impact': {'brand_reputation_impact': 'High (affected millions of Canadians, '
'public disclosure of breach)',
'data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Medical Information',
'Other Student/Family/Educator Data'],
'identity_theft_risk': 'High (PII and medical data exposed)',
'legal_liabilities': ['Privacy investigation by Canada’s federal '
'privacy watchdog (later discontinued)'],
'systems_affected': ['PowerSchool Student Information System']},
'initial_access_broker': {'high_value_targets': ['Student and educator data']},
'investigation_status': 'Closed (privacy investigation discontinued in July '
'2024; criminal case concluded with sentencing)',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': ['Strengthened monitoring '
'and detection tools',
'Independent security '
'assessment by March 2026']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': '$2.85 million (in bitcoin)',
'ransom_paid': 'Yes (amount unspecified)'},
'references': [{'source': 'Global News'},
{'source': 'U.S. Attorney’s Office (Massachusetts)'},
{'source': 'PowerSchool Official Statement'},
{'date_accessed': '2024-05-00',
'source': 'Toronto District School Board Letter to Parents'}],
'regulatory_compliance': {'fines_imposed': 'None',
'legal_actions': ['Privacy investigation by '
'Canada’s federal privacy '
'watchdog (discontinued in July '
'2024)'],
'regulatory_notifications': ['Canada’s federal '
'privacy commissioner '
'notified; independent '
'security assessment '
'required by March '
'2026']},
'response': {'communication_strategy': ['Public statements, letters to '
'parents/caregivers (e.g., Toronto '
'District School Board)'],
'enhanced_monitoring': 'Yes (committed to privacy commissioner)',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes (U.S. Attorney’s Office, '
'Canadian authorities)',
'remediation_measures': ['Strengthened monitoring and detection '
'tools']},
'stakeholder_advisories': ['Letters to parents/caregivers (e.g., Toronto '
'District School Board)'],
'threat_actor': 'Matthew D. Lane',
'title': 'PowerSchool Data Breach and Cyber Extortion',
'type': ['Data Breach', 'Cyber Extortion', 'Ransomware']}