PowerSchool, a cloud-based K-12 education software provider with 18,000+ global customers, suffered a massive cyberattack in December 2024 orchestrated by 19-year-old Matthew D. Lane and accomplices. Using stolen subcontractor credentials, they breached PowerSchool’s PowerSource customer support portal and exfiltrated sensitive data of 9.5 million teachers and 62.4 million students across 6,505 school districts. Compromised data included full names, addresses, phone numbers, passwords, parent details, Social Security numbers, and medical records. The attackers, posing as the Shiny Hunters threat group, demanded $2.85M in Bitcoin and later attempted secondary extortion against individual school districts. PowerSchool paid an undisclosed ransom, but the breach led to legal repercussions, including a $14M restitution order, a $25,000 fine, and a lawsuit by Texas AG Ken Paxton for security negligence. Prior breaches in August–September 2024 (via the same credentials) were also uncovered, though attribution remains unclear. The incident severely damaged trust in PowerSchool’s data protection capabilities.
TPRM report: https://www.rankiteo.com/company/powerschool-group-llc
"id": "pow5002350101625",
"linkid": "powerschool-group-llc",
"type": "Ransomware",
"date": "9/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '6,505 school districts; 9.5M '
'teachers; 62.4M students',
'industry': 'Education Technology (K-12 Cloud '
'Software)',
'location': 'Global (HQ: Folsom, California, USA)',
'name': 'PowerSchool',
'size': '18,000+ customers; supports 60M+ students',
'type': 'EdTech Company'},
{'customers_affected': '9.5M teachers; 62.4M students',
'industry': 'K-12 Education',
'location': 'Global (primarily USA, including Texas)',
'name': '6,505 School Districts',
'type': 'Educational Institutions'}],
'attack_vector': ['Stolen Credentials (Subcontractor)',
'Exploitation of Customer Support Portal (PowerSource)',
'Maintenance Tool Abuse'],
'data_breach': {'data_exfiltration': 'Yes (via maintenance tool; databases '
'downloaded)',
'file_types_exposed': ['Database Dumps',
'CSV/Excel (likely)',
'PDFs (potential)'],
'number_of_records_exposed': '71.9 million (9.5M teachers + '
'62.4M students)',
'personally_identifiable_information': 'Yes (full names, '
'addresses, SSNs, '
'phone numbers, '
'passwords, parent '
'details)',
'sensitivity_of_data': 'High (SSNs, medical data, passwords, '
'parent info)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Educational Records']},
'date_detected': '2024-12-19',
'description': '19-year-old college student Matthew D. Lane orchestrated a '
'cyberattack on PowerSchool, a cloud-based K-12 education '
'software provider, resulting in a massive data breach '
'affecting 9.5 million teachers and 62.4 million students '
'across 6,505 school districts. The attackers used stolen '
'subcontractor credentials to breach PowerSource, exfiltrated '
'sensitive PII, and demanded a $2.85M ransom in Bitcoin under '
"the guise of the 'Shiny Hunters' threat group. PowerSchool "
'paid an undisclosed ransom, but attackers later attempted to '
'extort individual school districts. Prior breaches in August '
'and September 2024 were also linked to the same compromised '
'credentials. Texas AG sued PowerSchool in 2025 for security '
'failures and misleading practices.',
'impact': {'brand_reputation_impact': 'Severe (lawsuit by Texas AG for '
'misleading security practices; global '
'media coverage)',
'customer_complaints': 'Likely high (given Texas AG lawsuit and '
'global scale)',
'data_compromised': ['Full Names',
'Physical Addresses',
'Phone Numbers',
'Passwords',
'Parent Information',
'Contact Details',
'Social Security Numbers',
'Medical Data'],
'financial_loss': '$14 million (restitution) + $25,000 (fine) + '
'undisclosed ransom payment',
'identity_theft_risk': 'High (SSNs, medical data, and PII of 71.9M '
'individuals exposed)',
'legal_liabilities': ['Texas AG lawsuit (2025) for failing to '
'protect data and misleading customers',
'Potential class-action lawsuits from '
'affected individuals'],
'operational_impact': 'Significant disruption to 6,505 school '
'districts worldwide; potential long-term '
"trust erosion in PowerSchool's security "
'practices',
'systems_affected': ['PowerSource Customer Support Portal',
'School Databases',
'Maintenance Tools']},
'initial_access_broker': {'data_sold_on_dark_web': 'Unconfirmed (but Shiny '
'Hunters historically '
'sells data)',
'entry_point': 'Compromised subcontractor '
'credentials (PowerSource portal)',
'high_value_targets': ['School Databases',
'Teacher/Student PII',
'Parent Information'],
'reconnaissance_period': 'At least 4 months (August '
'2024 breaches linked to '
'same credentials)'},
'investigation_status': 'Closed (criminal case against Lane concluded; civil '
'lawsuit by Texas AG ongoing)',
'motivation': ['Financial Gain (Ransomware)', 'Data Theft for Extortion'],
'post_incident_analysis': {'root_causes': ['Inadequate credential hygiene for '
'subcontractors',
'Lack of multi-factor '
'authentication (MFA) on '
'PowerSource portal',
'Delayed detection of '
'August/September 2024 breaches']},
'ransomware': {'data_encryption': 'No (data exfiltration-focused attack)',
'data_exfiltration': 'Yes (9.5M teacher + 62.4M student '
'records)',
'ransom_demanded': '$2.85 million (Bitcoin)',
'ransom_paid': 'Yes (undisclosed amount)'},
'references': [{'source': 'U.S. Department of Justice'},
{'source': 'Court Documents (U.S. District Judge Margaret R. '
'Guzman)'},
{'date_accessed': '2025-04',
'source': 'Texas Attorney General Ken Paxton'},
{'source': 'PowerSchool Disclosure (March 2025)'}],
'regulatory_compliance': {'fines_imposed': '$25,000 (criminal fine against '
'Lane); $14M restitution',
'legal_actions': ['Texas AG lawsuit (2025) against '
'PowerSchool',
'DoJ prosecution of Matthew D. '
'Lane (4-year prison sentence)'],
'regulations_violated': ['Potential FERPA (Family '
'Educational Rights and '
'Privacy Act) violations',
'State data protection '
'laws (e.g., Texas)',
'Misleading security '
'practices (FTC Act '
'potential)']},
'response': {'communication_strategy': ['Limited public disclosure',
'Direct notifications to affected '
'districts (likely)'],
'incident_response_plan_activated': 'Yes (CrowdStrike '
'investigation conducted)',
'law_enforcement_notified': "Yes (FBI/DoJ; led to Lane's arrest "
'and sentencing)',
'recovery_measures': ['Ransom Payment (undisclosed amount)',
'Restitution Efforts'],
'third_party_assistance': ['CrowdStrike (forensics)',
'Legal Counsel (for Texas AG '
'lawsuit)']},
'threat_actor': ['Matthew D. Lane (19-year-old college student)',
'Unnamed Accomplices',
"Claimed affiliation with 'Shiny Hunters'"],
'title': 'PowerSchool Data Breach and Ransomware Attack (December 2024)',
'type': ['Data Breach',
'Ransomware Attack',
'Unauthorized Access',
'Cyber Extortion'],
'vulnerability_exploited': ['Compromised Subcontractor Credentials',
'Inadequate Access Controls for PowerSource '
'Portal']}