PowerSchool, an education technology company managing student data for over 18,000 institutions globally, suffered a massive ransomware attack in 2024. A 19-year-old cybercriminal, Matthew Lane, and an unnamed coconspirator stole sensitive records of 60+ million students and 10+ million educators, including Social Security numbers, mental health data, and special education records. The attackers extorted $2.85 million in Bitcoin and threatened to leak the data worldwide, causing over $14 million in total damages (including ransom payments, identity theft services, and legal costs). The breach led to lawsuits, reputational harm, and secondary extortion attempts by other threat actors. PowerSchool initially denied the ransomware claim but later admitted to paying an undisclosed sum to prevent data exposure. The attack disrupted operations for school districts, exposed minors' data, and triggered regulatory scrutiny, including a lawsuit by the Texas Attorney General for misrepresenting cybersecurity capabilities.
TPRM report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "pow2292522101325",
"linkid": "powerschool-group-llc",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '60+ million students and 10+ '
'million educators',
'industry': 'EdTech',
'location': 'California, USA',
'name': 'PowerSchool',
'size': 'Large (serves 18,000+ educational '
'institutions globally)',
'type': 'Education Technology Company'},
{'industry': 'Education/Sports',
'location': 'Massachusetts, USA',
'name': 'Massachusetts Interscholastic Athletic '
'Association (MIAA)',
'type': 'Non-profit Athletic Association'},
{'industry': 'Telecommunications',
'location': 'USA',
'name': 'U.S.-based Wireless Telecommunications '
'Company (unnamed)',
'type': 'Corporation'},
{'industry': 'Food & Beverage',
'name': 'Alcoholic Beverage Company (unnamed)',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'USA',
'name': 'Major U.S. Supermarket Chain (unnamed)',
'type': 'Corporation'},
{'industry': 'Telecommunications',
'location': 'Indonesia',
'name': 'Indonesian Telecommunications Company '
'(unnamed)',
'type': 'Corporation'},
{'industry': 'Defense',
'location': 'Colombia',
'name': 'Colombian Armed Forces',
'type': 'Government/Military'}],
'attack_vector': ['stolen credentials',
'exploitation of network vulnerabilities',
'use of leased foreign servers (Ukraine)'],
'customer_advisories': ['PowerSchool notified customers of the breach and '
'provided updates as the investigation progressed.',
'Affected students/educators were advised to enroll '
'in identity theft protection services.',
'Parents were warned about potential misuse of their '
"children's SSNs and sensitive data."],
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (transferred to leased server in '
'Ukraine)',
'file_types_exposed': ['student records',
'teacher records',
'administrative data'],
'number_of_records_exposed': '70+ million (60M students + 10M '
'educators)',
'personally_identifiable_information': 'Yes (SSNs, names, '
'addresses, etc.)',
'sensitivity_of_data': 'High (includes SSNs of minors and '
'sensitive educational/health records)',
'type_of_data_compromised': ['PII (names, SSNs)',
'educational records (grades, '
'attendance)',
'mental health data',
'special education data']},
'date_detected': '2024-09',
'date_publicly_disclosed': '2024-05',
'description': 'Matthew Lane, a 19-year-old college freshman, pleaded guilty '
'to orchestrating a ransomware attack on PowerSchool, an '
'education technology company. Lane, along with at least one '
'unnamed coconspirator, stole sensitive records of over 60 '
'million students and 10 million educators, extorting nearly '
'$3 million from PowerSchool. The attack, motivated by greed, '
'exposed highly sensitive student data, including Social '
'Security numbers, mental health records, and special '
"education data. Lane's criminal activities date back to at "
'least 2021, targeting educational institutions, government '
'agencies, and corporate networks. He used sophisticated '
'techniques like VPNs, eSIMs, anonymized emails, and foreign '
'servers to evade detection. The breach cost PowerSchool over '
'$14 million, including ransom payments and identity theft '
'services for victims.',
'impact': {'brand_reputation_impact': ['loss of trust among school districts '
'and parents',
'negative media coverage',
'criticism for delayed notifications'],
'customer_complaints': ['lawsuits from affected students/educators',
'Texas Attorney General lawsuit for '
'deceptive cybersecurity claims'],
'data_compromised': ['Social Security numbers',
'mental health records',
'special education data',
'grades',
'attendance records',
'personal identifiable information (PII) of '
'60+ million students and 10+ million '
'educators'],
'financial_loss': '$14 million (including ransom payment and '
'identity theft services)',
'identity_theft_risk': 'High (exposed SSNs and sensitive PII of '
'minors)',
'legal_liabilities': ['multiple lawsuits',
'Texas Attorney General lawsuit (2024-09)',
'potential regulatory fines'],
'operational_impact': ['disruption of services',
'delayed notifications to affected parties',
'secondary victimization risks (reuse of '
'stolen data)'],
'systems_affected': ["PowerSchool's digital platform",
'leased server in Ukraine']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (based on '
'BreachForums activity and '
'ShinyHunters affiliation '
'claims)',
'entry_point': ['stolen credentials (PowerSchool)',
'exploited vulnerabilities (MIAA '
'website)'],
'high_value_targets': ['educational institutions',
'government agencies '
'(Colombian Armed Forces)',
'corporate networks '
'(telecom, retail)'],
'reconnaissance_period': 'At least since 2021 '
'(based on early attacks)'},
'investigation_status': 'Ongoing (Lane sentenced on 2024-10-14; coconspirator '
'still unnamed/at large)',
'lessons_learned': ['Teenage hackers can pose significant threats despite '
'their age, leveraging online communities for skills and '
'reputation.',
'Operational security degradation (e.g., IP leaks) can '
'lead to capture even for sophisticated actors.',
'Secondary victimization is a major risk post-breach, as '
'stolen data can be reused by other criminals.',
'Early vulnerability reporting and patching could have '
'mitigated the MIAA attack (2021).',
'Organizations must improve incident response times to '
'limit reputational and legal damage.'],
'motivation': ['financial gain',
'greed',
'desire for luxury items (designer clothes, diamond jewelry, '
'luxury vehicles, extravagant rentals)'],
'post_incident_analysis': {'corrective_actions': ['PowerSchool committed to '
'enhancing cybersecurity '
'measures post-breach.',
'FBI and DOJ prioritized '
'cracking down on '
'cybercrime forums like '
'BreachForums.',
'Educational institutions '
'were advised to audit '
'third-party vendor '
'security (e.g., '
'PowerSchool).',
"Lane's sentencing (7 years "
'+ $14M restitution) aimed '
'to deter similar crimes.'],
'root_causes': ['Inadequate access controls at '
'PowerSchool (allowed stolen '
'credentials to be used).',
'Delayed patching of '
'vulnerabilities (e.g., MIAA '
'website).',
'Lack of real-time monitoring for '
'data exfiltration to foreign '
'servers.',
'Over-reliance on reactive '
'measures (e.g., paying ransom) '
'rather than proactive defense.',
"Teenage threat actor's "
'exploitation of online hacking '
'communities for skills and '
'tools.']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '$2.85 million (in Bitcoin)',
'ransom_paid': 'Unspecified amount (confirmed payment was '
'made)'},
'recommendations': ['Enhance monitoring of dark web/forum activities for '
'early threat detection.',
'Implement stricter access controls and multi-factor '
'authentication (MFA) to prevent credential theft.',
'Conduct regular third-party cybersecurity audits, '
'especially for companies handling sensitive data like '
'student records.',
'Improve transparency in breach disclosures to maintain '
'trust with customers and regulators.',
'Educate employees and students on phishing/social '
'engineering risks to prevent initial access by threat '
'actors.',
'Strengthen partnerships with law enforcement and threat '
'intelligence firms to track and mitigate cybercrime '
'rings.'],
'references': [{'date_accessed': '2024-10',
'source': 'The 74 (Education News)',
'url': 'https://www.the74million.org/'},
{'date_accessed': '2024-05',
'source': 'U.S. Department of Justice Press Release'},
{'date_accessed': '2024-10',
'source': 'Cyble Threat Intelligence Report'},
{'date_accessed': '2024-05',
'source': 'CyberScoop',
'url': 'https://www.cyberscoop.com/'},
{'date_accessed': '2024-05',
'source': 'DataBreaches.net',
'url': 'https://www.databreaches.net/'},
{'date_accessed': '2024-09',
'source': 'Texas Attorney General Press Release'}],
'regulatory_compliance': {'legal_actions': ['Texas Attorney General lawsuit '
'(2024-09)',
'multiple class-action lawsuits '
'from affected parties'],
'regulatory_notifications': ['delayed notifications '
'to affected '
'students/educators']},
'response': {'communication_strategy': ['delayed public disclosure',
'statements to media',
'notifications to school districts'],
'containment_measures': ['payment of ransom to prevent data leak',
'identity theft services for victims'],
'incident_response_plan_activated': 'Yes (PowerSchool notified '
'customers and worked with '
'law enforcement)',
'law_enforcement_notified': 'Yes (FBI raid in Sterling, MA; DOJ '
'indictment)',
'remediation_measures': ['ongoing updates to affected districts',
'collaboration with law enforcement'],
'third_party_assistance': ['cybersecurity firms (unspecified)',
'law enforcement (FBI)']},
'stakeholder_advisories': ['PowerSchool urged affected districts to monitor '
'for identity theft and offered credit monitoring '
'services.',
'FBI advised educational institutions to review '
'cybersecurity protocols and report suspicious '
'activities.',
'Texas Attorney General advised school districts '
'to verify vendor cybersecurity claims.'],
'threat_actor': ["Matthew Lane (aliases: 'g0re', 'netsaosa', 'g0retrance')",
'unnamed coconspirator (Illinois-based)'],
'title': 'PowerSchool Ransomware Attack and Data Breach by Matthew Lane',
'type': ['ransomware', 'data breach', 'extortion']}