In December 2024, PowerSchool — the largest K-12 education software provider in the United States — suffered a data breach that compromised the personal information of students and teachers across thousands of school districts. The breach was not publicly disclosed until January 2025, when affected districts began notifying families.

PowerSchool’s platform is used by more than 18,000 schools serving over 60 million students. The breach exposed names, addresses, Social Security numbers, medical information, and academic records. For many affected students, this was their first exposure to having sensitive personal data stolen — and they had no choice in the matter. Their schools used PowerSchool. Their data was there.

The breach occurred through a compromised credential used to access a customer support portal. PowerSchool reportedly paid a ransom to the attackers in exchange for deletion of the stolen data — a transaction that security researchers widely describe as unreliable, since there is no enforceable guarantee that data is actually destroyed after payment.

The incident joins a growing list of education sector breaches that have accelerated in recent years. Schools collect extraordinarily sensitive data on minors, often retain it for decades, and historically have operated with security budgets far below what the sensitivity of that data warrants.

For parents, the practical takeaway is grim: the data your child’s school holds about them is only as secure as the vendors that school contracts with. And most parents have no visibility into that supply chain at all.